├── .gitignore
├── .travis.yml
├── README.md
├── deploy.sh
├── docs
├── _static
│ ├── img
│ │ ├── favicon.png
│ │ └── favicon.svg
│ └── js
│ │ └── extra.js
├── binary-core-tools
│ ├── debugger
│ │ └── ida.md
│ ├── file_structure
│ │ └── 010editor.md
│ ├── instrumentation
│ │ └── intel_pin.md
│ └── virtualization
│ │ └── qemu
│ │ ├── qemu-install-and-debug.md
│ │ ├── qemu-internals.md
│ │ └── qemu-introduction.md
├── collections.md
├── crypto.md
├── environment.md
├── index.md
├── misc.md
├── papers.md
├── pwn.md
├── reverse.md
├── unfinished.md
├── web-tools
│ ├── burpsuite.md
│ ├── fiddle.md
│ ├── web.md
│ └── wireshark.md
└── windows-binary-related
│ ├── PE
│ ├── die.md
│ ├── exeinfo.md
│ ├── importrec.md
│ └── peid.md
│ ├── debugger
│ ├── cheat_engine.md
│ ├── immunity_debugger.md
│ ├── ollydbg.md
│ ├── windbg.md
│ └── x32_x64_debugger.md
│ └── disassembler_and_decomplier
│ ├── hopper.md
│ ├── ida.md
│ └── radare2_and_cutter.md
├── mkdocs.yml
├── requirements.txt
└── runtime.txt
/.gitignore:
--------------------------------------------------------------------------------
1 | site/
2 |
--------------------------------------------------------------------------------
/.travis.yml:
--------------------------------------------------------------------------------
1 | language: python
2 | python:
3 | - 3.6
4 | install:
5 | - pip install -r requirements.txt
6 | script: chmod +x deploy.sh && ./deploy.sh
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # CTF Tools
2 |
3 | [](https://www.travis-ci.org/ctf-wiki/ctf-tools)
4 |
5 | 收集 CTF 竞赛中用到的工具,采用 [MkDocs](https://github.com/mkdocs/mkdocs) 部署。
6 |
7 | - Collections 工具合集
8 | - Environment 环境配置
9 | - Misc 杂项
10 | - Crypto 密码学
11 | - Reverse 逆向工程
12 | - Pwn 二进制漏洞挖掘
13 | - Web 网站应用
14 | - Papers 安全相关会议 PPT、书籍
15 |
16 | **本站所有工具收集自网络,请自行查毒查后门。**
--------------------------------------------------------------------------------
/deploy.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 | # Push HTML files to gh-pages automatically.
3 |
4 | # Fill this out with the correct org/repo
5 | ORG=ctf-wiki
6 | REPO=ctf-tools
7 | # This probably should match an email for one of your users.
8 | EMAIL=git@40huo.cn
9 |
10 | set -e
11 |
12 | git remote add gh-token "https://${GH_TOKEN}@github.com/$ORG/$REPO.git";
13 | git fetch gh-token && git fetch gh-token gh-pages:gh-pages;
14 |
15 | # Update git configuration so I can push.
16 | if [ "$1" != "dry" ]; then
17 | # Update git config.
18 | git config user.name "Travis Builder"
19 | git config user.email "$EMAIL"
20 | fi
21 |
22 | mkdocs gh-deploy -v --clean --remote-name gh-token;
--------------------------------------------------------------------------------
/docs/_static/img/favicon.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/ctf-wiki/ctf-tools/3ce92d942fc7b5d27ec4dc4177ae61e23b26e01c/docs/_static/img/favicon.png
--------------------------------------------------------------------------------
/docs/_static/img/favicon.svg:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/docs/_static/js/extra.js:
--------------------------------------------------------------------------------
1 | window.MathJax = {
2 | tex2jax: {
3 | inlineMath: [ ["\\(","\\)"] ],
4 | displayMath: [ ["\\[","\\]"] ]
5 | },
6 | TeX: {
7 | TagSide: "right",
8 | TagIndent: ".8em",
9 | MultLineWidth: "85%",
10 | equationNumbers: {
11 | autoNumber: "AMS",
12 | },
13 | unicode: {
14 | fonts: "STIXGeneral,'Arial Unicode MS'"
15 | }
16 | },
17 | showProcessingMessages: false,
18 | messageStyle: "none"
19 | };
--------------------------------------------------------------------------------
/docs/binary-core-tools/debugger/ida.md:
--------------------------------------------------------------------------------
1 | ida
2 |
--------------------------------------------------------------------------------
/docs/binary-core-tools/file_structure/010editor.md:
--------------------------------------------------------------------------------
1 | 010 editor
2 |
--------------------------------------------------------------------------------
/docs/binary-core-tools/instrumentation/intel_pin.md:
--------------------------------------------------------------------------------
1 | # intel pin
2 |
3 | ## 什么是 pin
4 |
5 | pin 是 intel 开发的一款二进制程序的插桩分析工具,支持 x86/x64 & windows/linux/mac,提供了丰富的 API 供使用者用 C/C++ 编写 pintool 分析程序
6 |
7 | ### 什么是插桩(instrument)
8 |
9 | 通俗的来说,插桩就是在已有的源代码/二进制程序中插入某些代码以便于自己分析,比如在调试时使用 printf 打印变量值就属于在源代码级别的插桩。而intel pin就是在二进制程序级别(没有源代码)插桩的一款工具
10 |
11 | ## pin 和 pintool
12 |
13 | ### pin 的安装,pintool 的编译
14 | pin 的安装很简单,这里以 64 位的 Linux 为例来说明,从 [官网](https://software.intel.com/en-us/articles/pin-a-binary-instrumentation-tool-downloads) 上下载 pin 组件后,解压即可,在解压后的文件夹内有编译好的二进制程序 pin
15 |
16 | ```bash
17 | pin-3.6-gcc-linux ls
18 | doc extlicense extras ia32 intel64 LICENSE pin README redist.txt source
19 | pin-3.6-gcc-linux file pin
20 | pin: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, BuildID[sha1]=7beaa83f9142955a6e933bf29d4a8aa1269298bc, stripped
21 | pin-3.6-gcc-linux ./pin
22 | E: Missing application name
23 | Pin: pin-3.6-97554-31f0a167d
24 | Copyright (c) 2003-2017, Intel Corporation. All rights reserved.
25 |
26 | Usage: pin [OPTION] [-t []] --
27 | Use -help for a description of options
28 | ```
29 |
30 | 在 **source/tools/ManualExamples** 中有一些现成的 pintool 可以使用,基本涵盖了各个模块的用法,这里以 inscount0 这个 pintool 为例介绍 pin 的使用方法
31 |
32 | ```bash
33 | pin-3.6-gcc-linux cd source/tools/ManualExamples
34 | ManualExamples file inscount0.cpp
35 | inscount0.cpp: C source, ASCII text
36 | ManualExamples make obj-intel64/inscount0.so TARGET=intel64
37 | g++ -Wall -Werror -Wno-unknown-pragmas -D__PIN__=1 -DPIN_CRT=1 -fno-stack-protector -fno-exceptions -funwind-tables -fasynchronous-unwind-tables -fno-rtti -DTARGET_IA32E -DHOST_IA32E -fPIC -DTARGET_LINUX -fabi-version=2 -I../../../source/include/pin -I../../../source/include/pin/gen -isystem /home/m4x/pin-3.6-gcc-linux/extras/stlport/include -isystem /home/m4x/pin-3.6-gcc-linux/extras/libstdc++/include -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include/arch-x86_64 -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include/kernel/uapi -isystem /home/m4x/pin-3.6-gcc-linux/extras/crt/include/kernel/uapi/asm-x86 -I../../../extras/components/include -I../../../extras/xed-intel64/include/xed -I../../../source/tools/InstLib -O3 -fomit-frame-pointer -fno-strict-aliasing -c -o obj-intel64/inscount0.o inscount0.cpp
38 | g++ -shared -Wl,--hash-style=sysv ../../../intel64/runtime/pincrt/crtbeginS.o -Wl,-Bsymbolic -Wl,--version-script=../../../source/include/pin/pintool.ver -fabi-version=2 -o obj-intel64/inscount0.so obj-intel64/inscount0.o -L../../../intel64/runtime/pincrt -L../../../intel64/lib -L../../../intel64/lib-ext -L../../../extras/xed-intel64/lib -lpin -lxed ../../../intel64/runtime/pincrt/crtendS.o -lpin3dwarf -ldl-dynamic -nostdlib -lstlport-dynamic -lm-dynamic -lc-dynamic -lunwind-dynamic
39 | ManualExamples file obj-intel64/inscount0.so
40 | obj-intel64/inscount0.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, BuildID[sha1]=3baa29dd54235acaab02edc94bf9ac377dd7b0e5, not stripped
41 | ```
42 |
43 | 此时在 obj-intel64 下编译生成了 inscount0.so,这个 so 即为一种 pintool,功能为记录程序执行的指令的条数;
44 |
45 | > 判断 pintool 的功能可以阅读 pintool 源代码或者使用下条指令
46 | >
47 | > $ pin -t your\_pintool -h -- your_application
48 |
49 | 类似的,要编译 32 位的 pintool 可以使用
50 |
51 | ```bash
52 | make obj-ia32/inscount0.so
53 | ```
54 |
55 | 编译 ManualExamples 中的所有 pintool 可以使用
56 |
57 | ```bash
58 | make all TAEGET=intel64
59 | make all TAEGET=ia32
60 | ```
61 |
62 | ### pin 的使用
63 |
64 | pin 的基本命令格式如下
65 |
66 | ```bash
67 | pin -t your_pintool -- your_binary
68 | ```
69 |
70 | 以刚刚编译的 inscount0 这个 pintool 为例
71 |
72 | ```bash
73 | ManualExamples ../../../pin -t ./obj-intel64/inscount0.so -- /bin/ls -a
74 | . inscount2.cpp obj-intel64
75 | .. inscount.out pinatrace.cpp
76 | buffer_linux.cpp inscount_tls.cpp pin.log
77 | buffer_windows.cpp invocation.cpp proccount.cpp
78 | countreps.cpp isampling.cpp replacesigprobed.cpp
79 | detach.cpp itrace.cpp safecopy.cpp
80 | divide_by_zero_unix.c little_malloc.c stack-debugger.cpp
81 | divide_by_zero_win.c logtrace.cpp stack-debugger-tutorial.sln
82 | emudiv.cpp makefile stack-debugger-tutorial.vcxproj
83 | fibonacci.cpp makefile.rules stack-debugger-tutorial.vcxproj.filters
84 | follow_child_app1.cpp malloc.cpp statica.cpp
85 | follow_child_app2.cpp malloc_mt.cpp staticcount.cpp
86 | follow_child_tool.cpp malloctrace.cpp strace.cpp
87 | fork_app.cpp myInscount0.cpp test
88 | fork_jit_tool.cpp myInscount1.cpp test.c
89 | imageload.cpp myMalloctrace.cpp test-packed
90 | inscount0.cpp nonstatica.cpp tracer.cpp
91 | inscount1.cpp obj-ia32 w_malloctrace.cpp
92 | ManualExamples cat inscount.out
93 | Count 813449
94 | ```
95 |
96 | inscount 默认结果保存在 inscount.out 这个文件中,在上例中,即此时 **ls -a** 这条命令共执行了 813449 条指令
97 |
98 | ### pintool 的分析
99 |
100 | 同样以 inscount0 为例分析,查看 inscount0.cpp 的内容
101 |
102 | ```C++
103 | #include
104 | #include
105 | #include "pin.H"
106 |
107 | ofstream OutFile;
108 |
109 | // The running count of instructions is kept here
110 | // make it static to help the compiler optimize docount
111 | static UINT64 icount = 0;
112 |
113 | // This function is called before every instruction is executed
114 | VOID docount() { icount++; }
115 |
116 | // Pin calls this function every time a new instruction is encountered
117 | VOID Instruction(INS ins, VOID *v)
118 | {
119 | // Insert a call to docount before every instruction, no arguments are passed
120 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_END);
121 | }
122 |
123 | KNOB KnobOutputFile(KNOB_MODE_WRITEONCE, "pintool",
124 | "o", "inscount.out", "specify output file name");
125 |
126 | // This function is called when the application exits
127 | VOID Fini(INT32 code, VOID *v)
128 | {
129 | // Write to a file since cout and cerr maybe closed by the application
130 | OutFile.setf(ios::showbase);
131 | OutFile << "Count " << icount << endl;
132 | OutFile.close();
133 | }
134 |
135 | /* ===================================================================== */
136 | /* Print Help Message */
137 | /* ===================================================================== */
138 |
139 | INT32 Usage()
140 | {
141 | cerr << "This tool counts the number of dynamic instructions executed" << endl;
142 | cerr << endl << KNOB_BASE::StringKnobSummary() << endl;
143 | return -1;
144 | }
145 |
146 | /* ===================================================================== */
147 | /* Main */
148 | /* ===================================================================== */
149 | /* argc, argv are the entire command line: pin -t -- ... */
150 | /* ===================================================================== */
151 |
152 | int main(int argc, char * argv[])
153 | {
154 | // Initialize pin
155 | if (PIN_Init(argc, argv)) return Usage();
156 |
157 | OutFile.open(KnobOutputFile.Value().c_str());
158 |
159 | // Register Instruction to be called to instrument instructions
160 | INS_AddInstrumentFunction(Instruction, 0);
161 |
162 | // Register Fini to be called when the application exits
163 | PIN_AddFiniFunction(Fini, 0);
164 |
165 | // Start the program, never returns
166 | PIN_StartProgram();
167 |
168 | return 0;
169 | }
170 | ```
171 |
172 | 从 main 开始,首先调用了 PIN\_init(53 行)进行初始化,然后使用 INS_AddInstrumenFunction 注册了一个插桩函数(58行),根据 intel pin 的 [用户手册](https://software.intel.com/sites/landingpage/pintool/docs/97619/Pin/html/)
173 |
174 | ```C
175 | PIN_CALLBACK LEVEL_PINCLIENT::INS_AddInstrumentFunction ( INS_INSTRUMENT_CALLBACK fun,
176 | VOID * val
177 | )
178 | Add a function used to instrument at instruction granularity
179 |
180 | Parameters:
181 | fun Instrumentation function for instructions
182 | val passed as the second argument to the instrumentation function
183 | Returns:
184 | PIN_CALLBACK A handle to a callback that can be used to further modify this callback's properties
185 | Note:
186 | The pin client lock is obtained during the call of this API.
187 | Availability:
188 | Mode: JIT
189 | O/S: Linux, Windows & OS X*
190 | CPU: All
191 | ```
192 |
193 | 在这里该函数的作用是在指令粒度插入 Instruction 函数,即在每条指令执行前,都会进入 Instruction 这个函数中,其第2个参数为一个额外传递给 Instruction 的参数,即对应 `VOID *v` 这个参数,这里没有使用。而 Instruction 接受的第一个参数为 `INS` 结构,用来表示一条指令
194 |
195 | 而我们再看 Instruction 这个函数
196 |
197 | ```C
198 | VOID Instruction(INS ins, VOID *v)
199 | {
200 | // Insert a call to docount before every instruction, no arguments are passed
201 | INS_InsertCall(ins, IPOINT_BEFORE, (AFUNPTR)docount, IARG_END);
202 | }
203 | ```
204 |
205 | 在 Instruction 函数内部又使用 INS\_InsertCall 注册了一个函数 docount,即在每条指令前实际插入了 docount 这个函数。需要注意的是 INS\_InsertCall 试一个便餐函数,前三个参数分别为指令(ins),插入的实际(IPOINT\_BEFORE,表示在指令运行之前插入 docount 函数),函数指针(docount,转化为了 AFUNPTR 类型),之后的参数为传递给 docount 函数的参数,以 IARG\_END 结尾
206 |
207 | 而 docount 函数(12 行)的作用就很明显了,每次将一个全局变量加 1,因此此时 /bin/ls -a 运行的模式如下:
208 |
209 | ```assembly
210 | ...
211 | icount++;
212 | sub $0xff, %edx
213 | icount++;
214 | cmp %esi, %edx
215 | icount++;
216 | jle
217 | icount++;
218 | mov $0x1, %edi
219 | icount++;
220 | add $0x10, %eax
221 | ...
222 | ```
223 |
224 | 所以 inscount0 的用途就很明显了,每条指令前都调用 docount 函数将全局变量 icount 自增,最后通过PIN\_AddFiniFunction 函数注册的 Fini 函数(25行)将结果写到一个文件中。
225 |
226 | 当这些函数都定义完后,就可以使用 PIN\_StartProgram 来启动程序了
227 |
228 | 这里分析了一个最简单的 pintool 例子,更多 pintool 例子的分析和其他函数的使用可以参考 BrieflyX 的 [博客](http://brieflyx.me/2017/binary-analysis/intel-pin-intro/)
229 |
230 |
231 |
232 | ## pin in CTF
233 |
234 | 因为动态插桩有不重新编译即可收集二进制程序某些信息的特性,因此用 pin 求解**一部分** CTF challenges 会异常的方便,下边给出一些例子和分析
235 |
236 | ### NDH2K13-crackme-500
237 |
238 | 首先用常规方法对 crackme 文件进行分析
239 |
240 | ```bash
241 | NDH2k13-crackme-500 [master] file crackme
242 | crackme: ELF 64-bit LSB executable, x86-64, invalid version (SYSV), for GNU/Linux 2.6.9, statically linked, corrupted section header size
243 | NDH2k13-crackme-500 [master] nm ./crackme
244 |
245 | nm: out of memory allocating 109524665216 bytes after a total of 0 bytes
246 | NDH2k13-crackme-500 [master] objdump -d ./crackme -M intel
247 | objdump: ./crackme: 不可识别的文件格式
248 | NDH2k13-crackme-500 [master] ./crackme
249 | Jonathan Salwan loves you <3
250 | ----------------------------
251 |
252 | Password: test
253 | Bad password
254 | ```
255 |
256 | 发现 section header 受到了损坏,用 IDA 打开时也有很多报错,这时我们尝试使用 intel pin 来求解这道题目,先使用最常见的统计指令条数的方法
257 |
258 | ```bash
259 | NDH2k13-crackme-500 [master] ~/pin-3.6-gcc-linux/pin -t ./inscount0.so -- ./crackme <<< "a" >> /dev/null; cat inscount.out
260 | Count 160345
261 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "a"
262 | Jonathan Salwan loves you <3
263 | ----------------------------
264 |
265 | Password: Bad password
266 | Count: 163218
267 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "aa"
268 | Jonathan Salwan loves you <3
269 | ----------------------------
270 |
271 | Password: Bad password
272 | Count: 166014
273 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "aaa"
274 | Jonathan Salwan loves you <3
275 | ----------------------------
276 |
277 | Password: Bad password
278 | Count: 168810
279 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "aaaa"
280 | Jonathan Salwan loves you <3
281 | ----------------------------
282 |
283 | Password: Bad password
284 | Count: 171606
285 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "aaaaa"
286 | Jonathan Salwan loves you <3
287 | ----------------------------
288 |
289 | Password: Bad password
290 | Count: 174402
291 | NDH2k13-crackme-500 [master●] bpython
292 | bpython version 0.17.1 on top of Python 2.7.13+ /usr/bin/python2
293 | >>> 174402 - 171606 == 171606 - 168810 == 168810 - 166014 == 166014 - 163218
294 | True
295 | >>>
296 | ```
297 |
298 | 此时我们发现了一个很有趣的特性,输入长度每次增加 1 时,指令条数也是以等差的规模递增的
299 |
300 | > myInscount0 是我在 inscount0 的基础上更改的 pintool,实现了从结果保存到文件到结果输出到标准输出的修改
301 |
302 | 我们写一个简单的脚本查看输入长度递增时,指令条数的变化规律
303 |
304 | ```python
305 | NDH2k13-crackme-500 [master●] cat guessLen.py
306 | #!/usr/bin/env python
307 | # -*- coding: utf-8 -*-
308 |
309 | from subprocess import Popen, PIPE
310 | from sys import argv
311 | import string
312 |
313 | pinPath = "/home/m4x/pin-3.6-gcc-linux/pin"
314 | pinInit = lambda tool, elf: Popen([pinPath, '-t', tool, '--', elf], stdin = PIPE, stdout = PIPE)
315 | pinWrite = lambda cont: pin.stdin.write(cont)
316 | pinRead = lambda : pin.communicate()[0]
317 |
318 | if __name__ == "__main__":
319 | last = 0
320 | for i in xrange(1, 30):
321 | pin = pinInit("./myInscount0.so", "./crackme")
322 | pinWrite("a" * i + '\n')
323 | now = int(pinRead().split("Count: ")[1])
324 |
325 | print "inputLen({:2d}) -> ins({}) -> delta({})".format(i, now, now - last)
326 | last = now
327 | ```
328 |
329 | 在我电脑上运行结果如下:
330 |
331 | ```python
332 | NDH2k13-crackme-500 [master●] python guessLen.py
333 | inputLen( 1) -> ins(160307) -> delta(160307)
334 | inputLen( 2) -> ins(163103) -> delta(2796)
335 | inputLen( 3) -> ins(165899) -> delta(2796)
336 | inputLen( 4) -> ins(168695) -> delta(2796)
337 | inputLen( 5) -> ins(171491) -> delta(2796)
338 | inputLen( 6) -> ins(174287) -> delta(2796)
339 | inputLen( 7) -> ins(177083) -> delta(2796)
340 | inputLen( 8) -> ins(182804) -> delta(5721)
341 | inputLen( 9) -> ins(182676) -> delta(-128)
342 | inputLen(10) -> ins(185472) -> delta(2796)
343 | inputLen(11) -> ins(188268) -> delta(2796)
344 | inputLen(12) -> ins(191064) -> delta(2796)
345 | inputLen(13) -> ins(193860) -> delta(2796)
346 | inputLen(14) -> ins(196656) -> delta(2796)
347 | inputLen(15) -> ins(199452) -> delta(2796)
348 | inputLen(16) -> ins(202248) -> delta(2796)
349 | inputLen(17) -> ins(205044) -> delta(2796)
350 | inputLen(18) -> ins(207840) -> delta(2796)
351 | inputLen(19) -> ins(210636) -> delta(2796)
352 | inputLen(20) -> ins(213432) -> delta(2796)
353 | inputLen(21) -> ins(216228) -> delta(2796)
354 | inputLen(22) -> ins(219024) -> delta(2796)
355 | inputLen(23) -> ins(221820) -> delta(2796)
356 | inputLen(24) -> ins(224616) -> delta(2796)
357 | inputLen(25) -> ins(227412) -> delta(2796)
358 | inputLen(26) -> ins(230208) -> delta(2796)
359 | inputLen(27) -> ins(244188) -> delta(13980)
360 | inputLen(28) -> ins(244188) -> delta(0)
361 | inputLen(29) -> ins(244188) -> delta(0)
362 | ```
363 |
364 | 可以发现,在输入长度 <8 时,指令条数是递增的,但长度为 8 与长度为 7 比较发生了突变,这个时候我们就可以大胆的推测当输入长度为 8 时,程序的运行流程有了较大的变化,正确的 flag 长度即为 8
365 |
366 | 我们以输入长度是 8 为前提,再查看不同输入下指令条数的变化规律
367 |
368 | ```bash
369 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< ">???????"
370 | Jonathan Salwan loves you <3
371 | ----------------------------
372 |
373 | Password: Bad password
374 | Count: 185714
375 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "????????"
376 | Jonathan Salwan loves you <3
377 | ----------------------------
378 |
379 | Password: Bad password
380 | Count: 185714
381 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "@???????"
382 | Jonathan Salwan loves you <3
383 | ----------------------------
384 |
385 | Password: Bad password
386 | Count: 185714
387 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "A???????"
388 | Jonathan Salwan loves you <3
389 | ----------------------------
390 |
391 | Password: Bad password
392 | Count: 189752
393 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "B???????"
394 | Jonathan Salwan loves you <3
395 | ----------------------------
396 |
397 | Password: Bad password
398 | Count: 185714
399 | NDH2k13-crackme-500 [master●] ~/pin-3.6-gcc-linux/pin -t ./myInscount0.so -- ./crackme <<< "C???????"
400 | Jonathan Salwan loves you <3
401 | ----------------------------
402 |
403 | Password: Bad password
404 | Count: 185714
405 | ```
406 |
407 | 可以发现,输入以 ASCII码 顺序递增时,第一位为 A 时指令条数发生了变化,此时我们在进一步推测正确的 flag 第一位即为 A
408 |
409 | 再写一个脚本逐位爆破
410 |
411 | ```python
412 | NDH2k13-crackme-500 [master●] cat guessPWD.py
413 | #!/usr/bin/env python
414 | # -*- coding: utf-8 -*-
415 |
416 | from subprocess import Popen, PIPE
417 | from sys import argv
418 | import string
419 | import pdb
420 |
421 | pinPath = "/home/m4x/pin-3.6-gcc-linux/pin"
422 | pinInit = lambda tool, elf: Popen([pinPath, '-t', tool, '--', elf], stdin = PIPE, stdout = PIPE)
423 | pinWrite = lambda cont: pin.stdin.write(cont)
424 | pinRead = lambda : pin.communicate()[0]
425 |
426 | if __name__ == "__main__":
427 | last = 0
428 | # dic = map(chr, xrange(0x20, 0x80))
429 | dic = string.ascii_letters + string.digits + "+_ "
430 | pwd = '?' * 8
431 | dicIdx = 0
432 | pwdIdx = 0
433 |
434 | while True:
435 | pwd = pwd[: pwdIdx] + dic[dicIdx] + pwd[pwdIdx + 1: ]
436 | # pdb.set_trace()
437 | pin = pinInit("./myInscount1.so", "./crackme")
438 | pinWrite(pwd + '\n')
439 | now = int(pinRead().split("Count: ")[1])
440 |
441 | print "input({}) -> now({}) -> delta({})".format(pwd, now, now - last)
442 |
443 | if now - last > 2000 and dicIdx:
444 | pwdIdx += 1
445 | dicIdx = -1
446 | last = 0
447 | if pwdIdx >= len(pwd):
448 | print "Found pwd: {}".format(pwd)
449 | break
450 |
451 | dicIdx += 1
452 | last = now
453 | ```
454 |
455 | 运行结果如下
456 |
457 | ```bash
458 | NDH2k13-crackme-500 [master●] time python guessPWD.py
459 | input(a???????) -> now(182804) -> delta(182804)
460 | input(b???????) -> now(182804) -> delta(0)
461 | input(c???????) -> now(182804) -> delta(0)
462 | input(d???????) -> now(182804) -> delta(0)
463 | input(e???????) -> now(182804) -> delta(0)
464 | input(f???????) -> now(182804) -> delta(0)
465 | input(g???????) -> now(182804) -> delta(0)
466 | input(h???????) -> now(182804) -> delta(0)
467 | input(i???????) -> now(182804) -> delta(0)
468 | input(j???????) -> now(182804) -> delta(0)
469 | input(k???????) -> now(182804) -> delta(0)
470 | input(l???????) -> now(182804) -> delta(0)
471 | input(m???????) -> now(182804) -> delta(0)
472 | input(n???????) -> now(182804) -> delta(0)
473 | input(o???????) -> now(182804) -> delta(0)
474 | input(p???????) -> now(182804) -> delta(0)
475 | input(q???????) -> now(182804) -> delta(0)
476 | ......
477 | input(AzI0wBsO) -> now(211070) -> delta(0)
478 | input(AzI0wBsP) -> now(211069) -> delta(-1)
479 | input(AzI0wBsQ) -> now(211069) -> delta(0)
480 | input(AzI0wBsR) -> now(211069) -> delta(0)
481 | input(AzI0wBsS) -> now(211069) -> delta(0)
482 | input(AzI0wBsT) -> now(211069) -> delta(0)
483 | input(AzI0wBsU) -> now(211069) -> delta(0)
484 | input(AzI0wBsV) -> now(211069) -> delta(0)
485 | input(AzI0wBsW) -> now(211069) -> delta(0)
486 | input(AzI0wBsX) -> now(214976) -> delta(3907)
487 | Found pwd: AzI0wBsX
488 | python guessPWD.py 31.04s user 14.72s system 105% cpu 43.341 total
489 | ```
490 |
491 | 验证一下
492 |
493 | ```bash
494 | NDH2k13-crackme-500 [master●] ./crackme
495 | Jonathan Salwan loves you <3
496 | ----------------------------
497 |
498 | Password: AzI0wBsX
499 | Good password
500 | ```
501 |
502 | 这样,我们用不到 5 分钟的时间就猜出了 flag
503 |
504 | > inscount1(BB级插桩) 与 inscount0(ins级插桩) 效果相同,但 inscount1 速度更快,实际解题时可以用 inscount1 代替 inscount0
505 |
506 | ### hxpCTF-2017-main_strip
507 |
508 | 再以 hxpCTF2017 的一道题目演示改造 pintool 用于解题,我们着重演示改造 pintool 的步骤,因此恢复符号表和分析程序流程的部分可以参考这篇 [writeup](http://eternal.red/2017/dont_panic-writeup/)
509 |
510 | 我们先尝试用上例的方法解这道题目
511 |
512 | ```bash
513 | hxpCTF-2017-main_strip [master●●] ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a
514 | Nope.
515 | Count: 517715
516 | hxpCTF-2017-main_strip [master●●] ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a
517 | Nope.
518 | Count: 545828
519 | hxpCTF-2017-main_strip [master●●] ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a
520 | Nope.
521 | Count: 532656
522 | hxpCTF-2017-main_strip [master●●] ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a
523 | Nope.
524 | Count: 524544
525 | hxpCTF-2017-main_strip [master●●] ~/pin-3.6-gcc-linux/pin -t ./myInscount1.so -- ./main_strip a
526 | Nope.
527 | Count: 582401
528 | ```
529 |
530 | 很不幸,即使我们使用同一个输入,指令数也是有较大变化的,使用现有的 pintool 难以解出这道题目,我们进行更深一步的分析,验证 flag 的关键部分可以表示为如下代码
531 |
532 | ```C
533 | for (int i=0; i 然而,因为该题目的指令较多,指令级别的插桩会耗费较长时间,需要1h左右才能得到 flag
561 |
562 | ## 题目
563 | - xman2018选拔赛-ollvm
564 |
565 |
566 | ## 总结
567 |
568 | - 使用 intel pin 可以解一部分 CTF challenges,尤其是虚拟机或者混淆严重的逆向题目,但 pin 的用途绝不局限于求解 CTF challenges
569 | - 使用 pin 可以解一部分 CTF 题目,但也仅仅是一部分题目,多数题目由于插桩代价大,难以提取侧信道信息,pintool 难以编写等原因使用 pin 求解得不偿失,因此使用 pin 求解 CTF challenges 可以总结为下条原则:
570 | - 能用血赚,凉了不亏
571 |
572 | ## Reference
573 |
574 | - http://shell-storm.org/blog/A-binary-analysis-count-me-if-you-can/
575 | - http://brieflyx.me/2017/binary-analysis/intel-pin-intro/
576 | - http://eternal.red/2017/dont_panic-writeup/
577 | - https://github.com/0x01f/pin-in-CTF
578 |
--------------------------------------------------------------------------------
/docs/binary-core-tools/virtualization/qemu/qemu-install-and-debug.md:
--------------------------------------------------------------------------------
1 | ## 安装 qemu
2 |
3 | ### 使用包管理
4 | 一般情况下,如无特殊需要(如为了运行某个 CTF 比赛中的异架构程序或者 kernel)直接使用对应的包管理直接安装即可
5 | ```bash
6 | Arch: pacman -S qemu
7 |
8 | Debian/Ubuntu: apt-get install qemu
9 |
10 | Fedora: dnf install @virtualization
11 |
12 | Gentoo: emerge --ask app-emulation/qemu
13 |
14 | RHEL/CentOS: yum install qemu-kvm
15 |
16 | SUSE: zypper install qemu
17 | ```
18 |
19 | > 这里只说明在 linux 下的安装过程,其他系统的安装过程请参考 [官方网站](https://www.qemu.org/download/)
20 |
21 | ### 从源码编译
22 | 通过包管理安装的 qemu 版本一般较老,如果需要新版的 qemu,可以从源码编译,这里以编译最新版的 qemu 为例。
23 |
24 | ```bash
25 | wget https://download.qemu.org/qemu-3.1.0-rc3.tar.xz
26 | tar xvJf qemu-3.1.0-rc3.tar.xz
27 | cd qemu-3.1.0-rc3
28 | ```
29 |
30 | 通过 `./configure --help` 的查看编译时的选项, `--target-list` 选项为可选的模拟器,默认全选
31 |
32 | > `--target-list` 中的 `xxx-soft` 和 `xxx-linux-user` 分别指系统模拟器和应用程序模拟器, 生成的二进制文件名字为 `qemu-system-xxx` 和 `qemu-xxx`
33 |
34 | 这里直接使用默认选项进行编译
35 | ```
36 | ./configure
37 | make -j8
38 | ```
39 |
40 | 继续安装
41 | ```bash
42 | sudo make install
43 | ```
44 |
45 | 成功安装
46 | ```bash
47 | ~ qemu-arm --version
48 | qemu-arm version 3.0.93
49 | Copyright (c) 2003-2018 Fabrice Bellard and the QEMU Project developers
50 | ```
51 |
52 | ## 使用 qemu
53 | 以 CISCN 2017 的 [babydriver](https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/kernel/CISCN2017-babydriver) 举例,查看启动脚本
54 |
55 | ```bash
56 | CISCN2017_babydriver [master●] bat boot.sh
57 | ───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
58 | │ File: boot.sh
59 | ───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
60 | 1 │ #!/bin/bash
61 | 2 │
62 | 3 │ qemu-system-x86_64 -initrd rootfs.cpio -kernel bzImage -append 'console=ttyS0 root=/dev/ram oops=panic panic=1' -enable-kvm -monitor /dev/null -m 64M -
63 | │ -nographic -smp cores=1,threads=1 -cpu kvm64,+smep
64 | ```
65 | 可以看出这道题目是用 `qemu-system-x86_64` 启动了以 `rootfs.cpio` 为文件系统的 kernel `bzImage`,启动时的参数为 `console=ttyS0 ... panic=1`,为这个进程分配 64M 内存。
66 |
67 | > 更多参数的含义请通过 `-h` 或者 [qemu-doc](https://qemu.weilnetz.de/doc/qemu-doc.html) 查看。
68 |
69 |
70 | > 如果使用包管理安装 qemu,直接安装 `qemu-system-x86_64` 即可
71 | ```bash
72 | sudo apt install qemu-system_x86-64
73 | ```
74 |
75 | 因为使用了 kvm,所以启动时要用 root 权限启动
76 | ```bash
77 | CISCN2017_babydriver [master●] sudo ./boot.sh
78 | ......
79 | ......
80 | / $ id
81 | uid=1000(ctf) gid=1000(ctf) groups=1000(ctf)
82 | / $ ls
83 | bin etc init linuxrc root sys usr
84 | dev home lib proc sbin tmp
85 | ```
86 |
87 | > 这道题目的更多分析可以看 [link](https://ctf-wiki.github.io/ctf-wiki/pwn/linux/kernel/kernel_uaf/#ciscn2017-babydriver)
88 |
89 |
90 | 同样,再看下 Codegate 2018 的[Melong](https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/arm/Codegate2018_Melong)
91 | ```bash
92 | Codegate2018_Melong [master] check melong
93 | + file melong
94 | melong: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.3, for GNU/Linux 3.2.0, BuildID[sha1]=2c55e75a072020303e7c802d32a5b82432f329e9, not stripped
95 | + checksec melong
96 | [*] '/home/m4x/Projects/pwn_repo/Codegate2018_Melong/melong'
97 | Arch: arm-32-little
98 | RELRO: Partial RELRO
99 | Stack: No canary found
100 | NX: NX enabled
101 | PIE: No PIE (0x10000)
102 | ```
103 | 可以看出是 32 位 的 arm 程序,需要安装 `qemu-arm`
104 |
105 | > 如果使用包管理安装,则
106 | ```bash
107 | $ sudo apt-get install qemu-user
108 | $ sudo apt-get install qemu-use-binfmt qemu-user-binfmt:i386
109 | ```
110 | 这样就安装了 `qemu-arm`
111 |
112 | 但同时因为程序是动态链接的,还需要同时安装对应的 libc,可以使用 `apt search "libc6-" | grep "ARCH"` 搜索,如
113 | ```bash
114 | Codegate2018_Melong [master] apt search "libc6-"| grep arm
115 | p libc6-arm64-cross - GNU C Library: Shared libraries (for cross-compiling)
116 | v libc6-arm64-dcv1 -
117 | v libc6-armel-armel-cross -
118 | p libc6-armel-armhf-cross - Dummy package to get libc6:armel installed
119 | p libc6-armel-cross - GNU C Library: Shared libraries (for cross-compiling)
120 | v libc6-armel-dcv1 -
121 | p libc6-armhf-armel-cross - Dummy package to get libc6:armhf installed
122 | v libc6-armhf-armhf-cross -
123 | p libc6-armhf-cross - GNU C Library: Shared libraries (for cross-compiling)
124 | v libc6-armhf-dcv1 -
125 | p libc6-dbg-arm64-cross - GNU C Library: detached debugging symbols (for cross-compiling)
126 | v libc6-dbg-arm64-dcv1 -
127 | p libc6-dbg-armel-cross - GNU C Library: detached debugging symbols (for cross-compiling)
128 | v libc6-dbg-armel-dcv1 -
129 | p libc6-dbg-armhf-cross - GNU C Library: detached debugging symbols (for cross-compiling)
130 | v libc6-dbg-armhf-dcv1 -
131 | p libc6-dev-arm64-cross - GNU C Library: Development Libraries and Header Files (for cross-compiling)
132 | v libc6-dev-arm64-cross:i386 -
133 | v libc6-dev-arm64-dcv1 -
134 | v libc6-dev-armel-armel-cross -
135 | p libc6-dev-armel-armhf-cross - Dummy package to get libc6-dev:armel installed
136 | p libc6-dev-armel-cross - GNU C Library: Development Libraries and Header Files (for cross-compiling)
137 | v libc6-dev-armel-cross:i386 -
138 | v libc6-dev-armel-dcv1 -
139 | p libc6-dev-armhf-armel-cross - Dummy package to get libc6-dev:armhf installed
140 | v libc6-dev-armhf-armhf-cross -
141 | p libc6-dev-armhf-cross - GNU C Library: Development Libraries and Header Files (for cross-compiling)
142 | v libc6-dev-armhf-cross:i386 -
143 | v libc6-dev-armhf-dcv1 -
144 | ```
145 | 只需要安装 `libc6-ARCH-cross` 的包即可。
146 |
147 | 装好后使用 `-L` 指定共享库路径即可运行文件。
148 | ```bash
149 | $ qemu-arm -L /usr/arm-linux-gnueabi ./melong
150 | ```
151 |
152 | > 这道题目的更多分析可以看 [link](http://m4x.fun/post/how-2-pwn-an-arm-binary/#codegate2018-melong)
153 |
154 | 如果是静态的程序,不需要 libc,则可以不用 `-L` 选项,如 Jarvis-OJ 的 [typo](https://github.com/ctf-wiki/ctf-challenges/tree/master/pwn/arm/jarvisOJ_typo)
155 |
156 | ```bash
157 | jarvisOJ_typo [master] check ./typo
158 | + file ./typo
159 | ./typo: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=211877f58b5a0e8774b8a3a72c83890f8cd38e63, stripped
160 | + checksec ./typo
161 | [*] '/home/m4x/Projects/pwn_repo/jarvisOJ_typo/typo'
162 | Arch: arm-32-little
163 | RELRO: Partial RELRO
164 | Stack: No canary found
165 | NX: NX enabled
166 | PIE: No PIE (0x8000)
167 | jarvisOJ_typo [master] qemu-arm ./typo
168 | Let's Do Some Typing Exercise~
169 | Press Enter to get start;
170 | Input ~ if you want to quit
171 | ^C
172 | ```
173 |
174 | ## 如何 debug
175 |
176 | 分两种情况
177 |
178 | 1. 调试 qemu 这个进程
179 | 2. 调试 qemu 内运行的程序
180 |
181 | ### 调试 qemu
182 | 对于第一种情况,直接使用 gdb attach 到 qemu 的进程号即可,为了调试时方便可以在编译时加上 `--enable-debug` 选项以保留符号等信息。
183 | ```
184 | --enable-debug enable common debug build options
185 | ```
186 | 在之后的 qemu 逃逸中会着重介绍这个过程。
187 |
188 | ### 调试 qemu 中的进程
189 | qemu 提供了 gdb 的接口,通过 `-g` 指定端口来调用
190 | ```
191 | -g port QEMU_GDB wait gdb connection to 'port'
192 | ```
193 |
194 | 同时为了调试异架构的程序,需要安装 `gdb-multiarch`
195 | ```bash
196 | sudo apt install gdb-multiarch
197 | ```
198 | 例如 Melong 中,使用
199 | ```bash
200 | $ qemu-arm -g 1234 -L /usr/arm-linux-gnueabi ./melong
201 | ```
202 | 启动程序,在另一个 shell 中使用 `gdb-multiarch` 启动程序并连接到指定的端口即可调试
203 | ```bash
204 | Codegate2018_Melong [master] gdb-multiarch ./melong -q
205 | pwndbg: loaded 175 commands. Type pwndbg [filter] for a list.
206 | pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
207 | Reading symbols from ./melong...(no debugging symbols found)...done.
208 | pwndbg> target remote localhost:1234
209 | ```
210 |
211 | > 使用 gdb-multriarch 可以调试大多数的程序。
212 | >
213 | > 但也有部分程序不能使用 gdb-multiarch,这时可以编译对应架构的 Toolchain,如 `arm-none-eabi-gdb`
214 | >
215 | > 或者使用系统模式的 qemu 创建一个对应架构的虚拟机,文末放了一片链接,以后也会介绍这种方法。
216 |
217 | 特别的是系统模式的 qemu 还提供了另外几个参数
218 | ```
219 | -gdb dev wait for gdb connection on 'dev'
220 | -s shorthand for -gdb tcp::1234
221 | -S freeze CPU at startup (use 'c' to start execution)
222 | ```
223 |
224 | `-gdb` 作用类似 `-g`,使用 `-gdb tcp::1234` 即可在 gdb 中通过 1234 端口调试。
225 |
226 | `-s` 是 `-gdb tcp::1234` 的缩写
227 |
228 | `-S` 让虚拟机停在启动的地方方便调试,类似于 pwntools 的 [gdb.debug()](http://docs.pwntools.com/en/stable/gdb.html?highlight=gdb.debug#pwnlib.gdb.debug)
229 |
230 |
231 | ## References
232 |
233 | https://www.ringzerolabs.com/2018/03/the-wonderful-world-of-mips.html
234 |
--------------------------------------------------------------------------------
/docs/binary-core-tools/virtualization/qemu/qemu-internals.md:
--------------------------------------------------------------------------------
1 | ## 内存管理
2 |
3 | ## 设备模拟
4 |
--------------------------------------------------------------------------------
/docs/binary-core-tools/virtualization/qemu/qemu-introduction.md:
--------------------------------------------------------------------------------
1 | ## 什么是 qemu
2 |
3 | [qemu](https://www.qemu.org/) 是一款由 [Fabrice Bellard](https://bellard.org/) 等人编写的可以执行硬件虚拟化的开源托管虚拟机,具有运行速度快(配合 kvm),跨平台等优点。
4 |
5 | qemu 通过动态的二进制转化模拟 CPU,并且提供一组设备模型,使其能够运行多种未修改的客户机OS。
6 |
7 | 在 CTF 比赛中,qemu 多用于启动异架构的程序(mips, arm 等)、kernel 及 bootloader 等二进制程序,有时也会作为要 pwn 掉的程序出现。
8 |
9 | ### 运行模式
10 |
11 | qemu 有多种运行模式,常用的有 `User-mode emulation` 和 `System emulation` 两种。
12 |
13 | #### User-mode emulation
14 | 用户模式,在这个模式下,qemu 可以运行单个其他指令集的 linux 或者 macOS/darwin 程序,**允许了为一种架构编译的程序在另外一种架构上面运行**。
15 |
16 | #### System emulation
17 | 系统模式,在这个模式下,qemu 将模拟一个完整的计算机系统,包括外围设备。
18 |
19 | > 之后将分别为两种情况举例
20 |
21 | ## Reference
22 |
23 | https://wiki.qemu.org/Main_Page
24 |
25 | https://qemu.weilnetz.de/doc/qemu-doc.html
26 |
27 | https://wiki.qemu.org/Documentation
28 |
29 | https://en.wikipedia.org/wiki/QEMU
30 |
31 |
--------------------------------------------------------------------------------
/docs/collections.md:
--------------------------------------------------------------------------------
1 | # 工具合集
2 |
3 | | 名称 | 简介 | 百度网盘 | 提取码 |
4 | | --------- | ------ | ------------------------------------- | ---- |
5 | | CTF 工具合集 | 精灵表哥整理 | [下载](https://pan.baidu.com/s/19p5GPCHabbZXVnw3YV8zsQ) | 45vm |
6 | | 分类详尽的工具合集 | 佚名 | [下载](https://pan.baidu.com/s/1Qu4c29XxWc_akuKD66OQeg) | iuce |
7 |
8 | > 资源来自 https://www.ctftools.com
9 |
10 |
--------------------------------------------------------------------------------
/docs/crypto.md:
--------------------------------------------------------------------------------
1 | # Crypto
2 |
3 | ## 古典密码
4 |
5 | - [CAP4](http://down.40huo.cn/crypto/CAP4.zip)
6 |
7 | - [JPK - 406](http://down.40huo.cn/crypto/JPK_406.jar)
8 |
9 | - [RC4 在线加解密](http://rc4.online-domain-tools.com/)
10 |
11 | - [栅栏密码加解密工具](http://down.40huo.cn/crypto/%E6%A0%85%E6%A0%8F%E5%AF%86%E7%A0%81%E5%8A%A0%E8%A7%A3%E5%AF%861.10.rar)
12 |
13 | - [摩斯密码在线加解密](http://www.zhongguosou.com/zonghe/moErSiCodeConverter.aspx)
14 |
15 | - [维吉尼亚密码在线解密 1](https://www.guballa.de/vigenere-solver)
16 |
17 | - [维吉尼亚密码在线解密 2](http://www.mygeocachingprofile.com/codebreaker.vigenerecipher.aspx)
18 |
19 | - [厦大 ph0en1x 在线密码工具](http://tool.ph0en1x.com/)
20 |
21 | - [密码机器](http://heartsnote.com/tools/cipher.htm)
22 |
23 | 栅栏、凯撒、维吉尼亚、摩斯、置换等。
24 |
25 | - [quipquip](http://quipqiup.com/)
26 |
27 | 移位密码破解。
28 |
29 | - [PYG 密码学综合工具](http://down.40huo.cn/crypto/pyg%E5%AF%86%E7%A0%81%E5%AD%A6%E7%BB%BC%E5%90%88%E5%B7%A5%E5%85%B7.zip)
30 |
31 | ## RSA
32 |
33 | - [yafu 大数分解](http://down.40huo.cn/crypto/yafu-1.34.zip)
34 |
35 | - [factordb 在线大数分解](http://factordb.com/)
36 |
37 | - [RSATool](http://down.40huo.cn/crypto/RSATool2v17.rar_87752.rar)
38 |
39 | - [wiener-attack](https://github.com/pablocelayes/rsa-wiener-attack)
40 |
41 | - [rsatool](https://github.com/ius/rsatool)
42 |
43 | ```bash
44 | python rsatool.py -f PEM -o key.pem -n 13826123222358393307 -d 9793706120266356337
45 | python rsatool.py -f DER -o key.der -p 4184799299 -q 3303891593
46 | ```
47 |
48 |
49 | ## Hash
50 |
51 | - [CRC32 碰撞脚本](https://github.com/theonlypwner/crc32/blog/master/crc32.py)
52 |
53 | ```shell
54 | crc32.py -h
55 | usage: crc32.py [-h] action ...
56 |
57 | Reverse, undo, and calculate CRC32 checksums
58 |
59 | positional arguments:
60 | action
61 | flip flip the bits to convert normal(msbit-first) polynomials to
62 | reversed (lsbit-first) and vice versa
63 | reciprocal
64 | find the reciprocal (Koopman notation) of a reversed (lsbit-
65 | first) polynomial and vice versa
66 | table generate a lookup table for a polynomial
67 | reverse find a patch that causes the CRC32 checksum to become a desired
68 | value
69 | undo rewind a CRC32 checksum
70 | calc calculate the CRC32 checksum
71 |
72 | optional arguments:
73 | -h, --help show this help message and exit
74 | ```
75 |
76 | ## 其他
77 |
78 | - [Cisco 密码在线破解](http://www.ifm.net.nz/cookbooks/passwordcracker.html)
79 | - [Base64 加解密](http://base64.supfree.net/)
80 | - [Sage 计算机代数系统](http://www.sagemath.org/)
81 |
--------------------------------------------------------------------------------
/docs/environment.md:
--------------------------------------------------------------------------------
1 | # 环境搭建
2 |
3 | ## Kali Linux
4 |
5 | * [官网](https://www.kali.org)
6 | * [安装镜像下载(中科大)](http://mirrors.ustc.edu.cn/kali-images/)
7 | * [虚拟机镜像下载(官网)](https://www.offensive-security.com/kali-linux-vmware-virtualbox-image-download/)
8 |
9 | ## Java
10 |
11 | * [JRE](http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html)
12 | * [JDK](http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html)
13 |
14 | ## Python
15 |
16 | * [Python](https://www.python.org/)
17 |
18 | * pip 豆瓣源设置
19 |
20 | 在 `~/.pip/` 目录下新建 `pip.ini`(Windows)或 `pip.conf`(Linux)文件,内容如下:
21 |
22 | ```ini
23 | [global]
24 | index-url = http://pypi.douban.com/simple
25 | trusted-host = pypi.douban.com
26 | [list]
27 | format=columns
28 | ```
29 |
30 | ## Offline Docs
31 |
32 | 当你处于没有外网的环境时,自己留在本地的资料就显得尤为重要。
33 |
34 | * [乌云漏洞知识库镜像](https://github.com/hanc00l/wooyun_public)
35 |
36 | [百度网盘 提取码 5ik7](http://pan.baidu.com/s/1kVtY2rX)
37 |
38 | * [Zeal](https://zealdocs.org)
39 |
40 | > Zeal is an offline documentation browser for software developers.
41 |
42 | 这东西有个缺点。。。下载的时候很慢,挂了代理好像稍微好点。。。
43 |
44 | * [Zeal portable](https://zealdocs.org/download.html)
45 |
46 | * [自己打的 docset 压缩包](http://pan.baidu.com/s/1slrWutf)
47 |
48 | 包括 Bash、C、C++、CSS、Django、Docker、ElasticSearch、Flask、Go、HTML、JavaScript、Java SE 8、Laravel、MySQL、Nginx、PHP、Python 2、Python 3、Vim、WordPress。
49 |
50 | ## 科学上网
51 |
52 | 由于众所周知的原因,
--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
1 | # CTF Tools
2 |
3 | !!! info "欢迎提出意见和建议"
4 | **[点击此处](https://github.com/ctf-wiki/ctf-tools/issues/new)**,帮助 [CTF Tools](https://github.com/ctf-wiki/ctf-tools) 更加完善。
5 |
6 | ## Get Started 开始使用
7 |
8 | CTF 军火库,收集 CTF 竞赛相关的工具、脚本和安全领域的会议 PPT 等,采用 [MkDocs](https://github.com/mkdocs/mkdocs) 部署。。
9 |
10 | - [Collections 工具合集](collections.md)
11 | - [Environment 环境配置](environment.md)
12 | - [Misc 杂项](misc.md)
13 | - [Crypto 密码学](crypto.md)
14 | - [Reverse 逆向工程](reverse.md)
15 | - [Pwn 二进制漏洞挖掘](pwn.md)
16 | - [Web 网站应用](web-tools/web.md)
17 | - [Papers 安全相关会议 PPT、书籍](papers.md)
18 |
19 | 由 [CTF Wiki](https://github.com/ctf-wiki/ctf-wiki/) 团队维护。
20 |
21 | !!! warning
22 | 本站所有工具收集自网络,请自行查毒查后门。
23 |
24 | ## Material color palette 颜色主题
25 | ### Primary colors 主色
26 |
27 | > 默认 `white`
28 |
29 | 点击色块可更换主题的主色
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
60 |
61 | ### Accent colors 辅助色
62 |
63 | > 默认 `red`
64 |
65 | 点击色块更换主题的辅助色
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
92 |
--------------------------------------------------------------------------------
/docs/misc.md:
--------------------------------------------------------------------------------
1 | # MISC
2 |
3 | ## 图片隐写
4 |
5 | * [Stegsolve](http://down.40huo.cn/misc/Stegsolve.jar)
6 |
7 | * [Stegdetect amd64 deb](http://down.40huo.cn/misc/stegdetect_0.6-6_amd64.deb)
8 |
9 | Stegdetect 的主要选项如下:
10 |
11 | q – 仅显示可能包含隐藏内容的图像
12 |
13 | n – 启用检查 JPEG 文件头功能,以降低误报率。如果启用,所有带有批注区域的文件将被视为没有被嵌入信息。如果 JPEG 文件的 JFIF 标识符中的版本号不是 1.1,则禁用 OutGuess 检测。
14 |
15 | s – 修改检测算法的敏感度,该值的默认值为 1。检测结果的匹配度与检测算法的敏感度成正比,算法敏感度的值越大,检测出的可疑文件包含敏感信息的可能性越大。
16 |
17 | d – 打印带行号的调试信息。
18 |
19 | t – 设置要检测哪些隐写工具(默认检测 jopi),可设置的选项如下:
20 |
21 | j – 检测图像中的信息是否是用 jsteg 嵌入的。
22 |
23 | o – 检测图像中的信息是否是用 outguess 嵌入的。
24 |
25 | p – 检测图像中的信息是否是用 jphide 嵌入的。
26 |
27 | i – 检测图像中的信息是否是用 invisible secrets 嵌入的。
28 |
29 | * [Steghide 0.5.1 win32](http://down.40huo.cn/misc/steghide-0.5.1-win32.zip)
30 |
31 | * [Outguess amd64 deb](http://down.40huo.cn/misc/outguess_0.2-7_amd64.deb)
32 |
33 | * [PNGCheck 2.3.0 win32](http://down.40huo.cn/misc/pngcheck-2.3.0-win32.zip)
34 |
35 | * [JPHS win32](http://down.40huo.cn/misc/jphs_05.zip)
36 |
37 | * [OurSecret](http://down.40huo.cn/misc/oursecret.zip)
38 |
39 | ## 压缩包
40 |
41 | * [Ziperello](http://down.40huo.cn/misc/Ziperello.zip)
42 |
43 | zip 压缩包密码爆破。
44 |
45 | * [Advanced Rar Password Recovery](http://down.40huo.cn/misc/AdvancedRARPassword.zip)
46 |
47 | * [Advanced Zip Password Recovery](http://down.40huo.cn/misc/AZPR_4.0.zip)
48 |
49 | ## 无线密码
50 |
51 | * [Elcomsoft Wireless Security Auditor](http://down.40huo.cn/misc/Elcomsoft.Wireless.Security.Auditor.Pro.v5.9.359-BRD_tt7z.com.rar)
52 |
53 | ## 编辑器
54 |
55 | * [010 Editor Windows x64](http://down.40huo.cn/misc/010_Editor_v6.0.2_CracKed_For_Windows_x64.zip)
56 |
57 | ## NTFS 文件流
58 |
59 | * [Alternate Stream View](http://down.40huo.cn/misc/alternatestreamview.zip)
60 |
61 | ## 音频隐写
62 |
63 | * [Audacity](http://down.40huo.cn/misc/audacity-win-2.1.2.zip)
64 | * [在线拨号音识别](http://dialabc.com/sound/detect/)
65 |
66 | ## 取证
67 |
68 | * [Elcomsoft Forensic Disk Decryptor](http://down.40huo.cn/misc/efdd_setup_en.msi)
69 | * [破解工具](http://down.40huo.cn/misc/Elcomsoft.Forensic.Disk.Decryptor.CracKed.By.Hmily.LCG.rar)
70 |
71 | ## 条形码、二维码
72 |
73 | * [条形码、二维码在线识别](https://online-barcode-reader.inliteresearch.com/default.aspx)
74 |
75 | ## GIF
76 |
77 | * [GIF 在线分解](http://ezgif.com/split)
78 |
79 | ## 编码分析
80 |
81 | * [CyberChef 编码分析瑞士军刀](https://gchq.github.io/CyberChef)
82 |
83 | ## pyc
84 |
85 | - [Stegosaurus](https://github.com/AngelKitty/stegosaurus)
86 |
87 | Stegosaurus 是一款隐写工具,它允许我们在 Python 字节码文件( pyc 或 pyo )中嵌入任意 Payload 。由于编码密度较低,因此我们嵌入 Payload 的过程既不会改变源代码的运行行为,也不会改变源文件的文件大小。 Payload 代码会被分散嵌入到字节码之中,所以类似 strings 这样的代码工具无法查找到实际的 Payload 。 Python 的 dis 模块会返回源文件的字节码,然后我们就可以使用 Stegosaurus 来嵌入 Payload 了。
88 |
89 | > **Tips: Stegosaurus 仅支持 Python3.6 及其以下版本**
90 |
91 | Stegosaurus 的基本用法如下:
92 |
93 | ```shell
94 | $ python3 -m stegosaurus -h
95 | usage: stegosaurus.py [-h] [-p PAYLOAD] [-r] [-s] [-v] [-x] carrier
96 |
97 | positional arguments:
98 | carrier Carrier py, pyc or pyo file
99 |
100 | optional arguments:
101 | -h, --help show this help message and exit
102 | -p PAYLOAD, --payload PAYLOAD
103 | Embed payload in carrier file
104 | -r, --report Report max available payload size carrier supports
105 | -s, --side-by-side Do not overwrite carrier file, install side by side
106 | instead.
107 | -v, --verbose Increase verbosity once per use
108 | -x, --extract Extract payload from carrier file
109 | ```
110 |
--------------------------------------------------------------------------------
/docs/papers.md:
--------------------------------------------------------------------------------
1 | # Papers
2 |
3 | ## 演讲 PPT
4 |
5 | - [KCon 2017 PPT](https://github.com/knownsec/KCon/tree/master/2017)
6 | - [补天沙龙南京站—— Java 代码审计](http://down.40huo.cn/papers/%E8%A1%A5%E5%A4%A9%E6%B2%99%E9%BE%99%E5%8D%97%E4%BA%AC%E7%AB%99-Java%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E9%82%A3%E4%BA%9B%E4%BA%8B.zip)
7 | - [2017 第三届PHP全球开发者大会](https://github.com/devlinkcn/ppts_for_php2017)
8 | - [2017 先知白帽大会议题 PPT](http://pan.baidu.com/s/1eSoW0Sy)
9 | - [CTF 比赛总是输?你还差点 Tricks!](http://down.40huo.cn/papers/CTF%E6%AF%94%E8%B5%9B%E6%80%BB%E6%98%AF%E8%BE%93%EF%BC%9F%E4%BD%A0%E8%BF%98%E5%B7%AE%E7%82%B9Tricks%21.pdf)
10 | - [Build Your SSRF EXP Autowork By 猪猪侠](http://down.40huo.cn/papers/%E7%8C%AA%E7%8C%AA%E4%BE%A0-build_your_ssrf_exp_autowork.pdf)
11 | - [我的白帽学习路线](http://down.40huo.cn/papers/%E6%88%91%E7%9A%84%E7%99%BD%E5%B8%BD%E5%AD%A6%E4%B9%A0%E8%B7%AF%E7%BA%BF--20170325.pdf)
12 | - [2017 补天沙龙成都站 - 渗透测试中的那点小事 By l3m0n](https://github.com/SycloverSecurity/papers/blob/master/2017%E8%A1%A5%E5%A4%A9%E6%B2%99%E9%BE%99%E6%88%90%E9%83%BD%E7%AB%99/l3m0n-%E6%B8%97%E9%80%8F%E6%B5%8B%E8%AF%95%E4%B8%AD%E7%9A%84%E9%82%A3%E7%82%B9%E5%B0%8F%E4%BA%8B.pdf)
13 | - [2016 补天白帽沙龙成都站 - PWN 新司机如何快速上路 By muhe](https://github.com/SycloverSecurity/papers/blob/master/2016%E8%A1%A5%E5%A4%A9%E6%B2%99%E9%BE%99%E6%88%90%E9%83%BD%E7%AB%99/muhe-pwn%E6%96%B0%E5%8F%B8%E6%9C%BA%E5%A6%82%E4%BD%95%E5%BF%AB%E9%80%9F%E4%B8%8A%E8%B7%AF.pptx)
14 | - [第五届中国网络安全大会 - 浏览器地址栏之困](http://down.40huo.cn/papers/%E6%B5%8F%E8%A7%88%E5%99%A8%E5%9C%B0%E5%9D%80%E6%A0%8F%E4%B9%8B%E5%9B%B0.pdf)
15 | - [Introduction to the Pin Instrumentation Tool](https://cs.gmu.edu/~astavrou/courses/ISA_673_S13/PIN_lecture.pdf)
16 |
17 | ## 书籍
18 |
19 | - [SQL 注入攻击与防御](http://pan.baidu.com/s/1bpksQnX)
20 | - [Metasploit 渗透测试魔鬼训练营](http://pan.baidu.com/s/1hrRlMdA)
21 | - [PHP 代码审计入坑实践](http://pan.baidu.com/s/1skZGUk9)
22 | - [WireShark 数据包分析实战(第二版)](http://pan.baidu.com/s/1dF690Ff)
23 | - [黑客大曝光第七版](http://pan.baidu.com/s/1c2eRiFY)
24 |
25 |
--------------------------------------------------------------------------------
/docs/pwn.md:
--------------------------------------------------------------------------------
1 | # PWN
2 |
3 | ## 反汇编
4 |
5 | - [IDA Pro 6.8 Green](http://down.52pojie.cn/Tools/Disassemblers/IDA_Pro_v6.8_and_Hex-Rays_Decompiler_%28ARM%2Cx64%2Cx86%29_Green.rar)
6 |
7 | ## 调试
8 |
9 | * [peda](https://github.com/longld/peda)
10 |
11 | > **Installation**
12 | >
13 | > ```shell
14 | > git clone https://github.com/longld/peda.git ~/peda
15 | > echo "source ~/peda/peda.py" >> ~/.gdbinit
16 | > echo "DONE! debug your program with gdb and enjoy"
17 | > ```
18 |
19 | [截至 2016 年 12 月 27 日 master 分支打包](http://down.40huo.cn/pwn/peda-master.zip)
20 |
21 | ## Patch
22 |
23 | * [Fentanyl](https://github.com/isislab/Fentanyl)
24 |
25 | IDA Python 脚本,用于快速 patch。
26 |
27 | [截至 2016 年 12 月 27 日 master 分支打包](http://down.40huo.cn/pwn/Fentanyl-master.zip)
28 |
29 | > **Usage**
30 | >
31 | > **Loading Fentanyl.py**
32 | >
33 | > 1. `Alt+F7` or `File > Script File` to load scripts
34 | > 2. Browse to `main.py` and open it
35 | > 3. That's it!
36 | >
37 | > **Key Bindings**
38 | >
39 | > *Some of these keybindings can be accessed by right-clicking on the screen in graph view.*
40 | >
41 | > - `Alt-N` Convert instructions to nops
42 | > - `Alt-X` Nop all xrefs to this function
43 | > - `Alt-J` Invert conditional jump
44 | > - `Alt-P` Patch instruction
45 | > - `Alt-Z` Undo modification (Won't always work. Should still be careful editing.)
46 | > - `Alt-Y` Redo modification (Won't always work. Should still be careful editing.)
47 | > - `Alt-S` Save file
48 | > - `Alt-C` Find Code Caves
49 | > - `Ctrl-Alt-F` Make jump unconditional
50 | > - `Ctrl-Alt-N` Neuter the binary (remove calls to fork, setuid, setgid, getpwnam, setgroups, and chdir)
51 |
52 |
--------------------------------------------------------------------------------
/docs/reverse.md:
--------------------------------------------------------------------------------
1 | # Reverse
2 |
3 | ## 反汇编
4 |
5 | * [IDA Pro 6.8 Green](http://down.52pojie.cn/Tools/Disassemblers/IDA_Pro_v6.8_and_Hex-Rays_Decompiler_%28ARM%2Cx64%2Cx86%29_Green.rar)
6 | * [dnSpy](http://down.40huo.cn/reverse/dnSpy%20v2.0.2.0.zip)
7 | * [ILSpy](http://down.40huo.cn/reverse/ILSpy_Master_2.3.1.1855_Binaries.zip)
8 | * [IDA Pro 7.0 Green](https://down.52pojie.cn/Tools/Disassemblers/IDA_Pro_v7.0_Portable.zip)
9 |
10 | ## 调试
11 |
12 | * [吾爱破解专用 Ollydbg](http://down.40huo.cn/reverse/%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%E4%B8%93%E7%94%A8%E7%89%88Ollydbg.rar)
13 |
14 | ## 脱壳
15 |
16 | * [UPX Unpacker](http://down.40huo.cn/reverse/UPX%20Unpacker.rar)
17 |
18 | ## Python
19 |
20 | * [unpy2exe](http://down.40huo.cn/reverse/unpy2exe-master.zip)
21 |
22 | ## Android
23 |
24 | - [AndroidResEdit](http://down.40huo.cn/android/AndroidResEdit.rar)
25 | - [JD - GUI](http://down.40huo.cn/android/jd-gui-windows-1.4.0.zip)
26 | - [Android Killer](http://down.52pojie.cn/Tools/Android_Tools/AndroidKiller_v1.3.1.zip)
27 | - [JEB - 2.2.7](http://down.52pojie.cn/Tools/Android_Tools/jeb-2.2.7.201608151620_crack_qtfreet00.zip)
28 |
29 | ## 动态插桩
30 | - [intel pin](https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool)
31 |
--------------------------------------------------------------------------------
/docs/unfinished.md:
--------------------------------------------------------------------------------
1 | unfinished
2 |
--------------------------------------------------------------------------------
/docs/web-tools/burpsuite.md:
--------------------------------------------------------------------------------
1 | burpsuite
2 |
--------------------------------------------------------------------------------
/docs/web-tools/fiddle.md:
--------------------------------------------------------------------------------
1 | fiddle
2 |
--------------------------------------------------------------------------------
/docs/web-tools/web.md:
--------------------------------------------------------------------------------
1 | # Web
2 |
3 | ## 菜刀
4 |
5 | - [习科兵器库版菜刀](https://attach.blackbap.org/down/wzaq/caidao.rar)
6 |
7 | - [官网新版菜刀](http://down.40huo.cn/web/caidao-20160622-www.maicaidao.com.7z)
8 |
9 | 解压密码 `www.maicaidao.com`
10 |
11 | - [CKnife](http://pan.baidu.com/s/1nul1mpr)
12 |
13 | 密码:f65g
14 |
15 | ## 注入
16 |
17 | * [sqlmap](https://github.com/sqlmapproject/sqlmap)
18 |
19 | > **Installation**
20 | >
21 | > You can download the latest tarball by clicking [here](https://github.com/sqlmapproject/sqlmap/tarball/master) or latest zipball by clicking [here](https://github.com/sqlmapproject/sqlmap/zipball/master).
22 | >
23 | > Preferably, you can download sqlmap by cloning the [Git](https://github.com/sqlmapproject/sqlmap) repository:
24 | >
25 | > ```
26 | > git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev
27 | >
28 | > ```
29 | >
30 | > sqlmap works out of the box with [Python](http://www.python.org/download/) version **2.6.x** and **2.7.x** on any platform.
31 | >
32 | > **Usage**
33 | >
34 | > To get a list of basic options and switches use:
35 | >
36 | > ```
37 | > python sqlmap.py -h
38 | >
39 | > ```
40 | >
41 | > To get a list of all options and switches use:
42 | >
43 | > ```
44 | > python sqlmap.py -hh
45 | >
46 | > ```
47 | >
48 | > You can find a sample run [here](https://asciinema.org/a/46601). To get an overview of sqlmap capabilities, list of supported features and description of all options and switches, along with examples, you are advised to consult the [user's manual](https://github.com/sqlmapproject/sqlmap/wiki).
49 |
50 | [截至 2016 年 12 月 27 日 master 分支打包](http://down.40huo.cn/web/weakfilescan-master.zip)
51 |
52 | ## 抓包
53 |
54 | * [Burp Suite 1.6 pro]()
55 |
56 | * [WireShark 2.2.3 win32](http://down.40huo.cn/web/Wireshark-win32-2.2.3.exe)
57 |
58 | * [PKAV HTTP FUZZER](http://down.40huo.cn/web/Pkav%20HTTP%20Fuzzer%201.5.5.zip)
59 |
60 | 带一点简单的验证码识别。
61 |
62 | ## 目录扫描
63 |
64 | * [御剑后台扫描](http://down.40huo.cn/web/%E5%BE%A1%E5%89%91%E5%90%8E%E5%8F%B0%E6%89%AB%E6%8F%8F%E7%8F%8D%E8%97%8F%E7%89%88.zip)
65 |
66 | * [自用御剑字典](http://down.40huo.cn/wordlist/%E5%BE%A1%E5%89%91%E5%AD%97%E5%85%B8.rar)
67 |
68 | * [dirfuzz](http://down.40huo.cn/web/dirfuzz-master.zip)
69 |
70 | * [weakfilescan](https://github.com/ring04h/weakfilescan)
71 |
72 | dirfuzz 进阶版。
73 |
74 | [截至 2016 年 12 月 27 日 master 分支打包](http://down.40huo.cn/web/weakfilescan-master.zip)
75 |
76 | * [猪猪侠字典打包](http://pan.baidu.com/s/1geBDwGz)
77 |
78 | * [Github 上某不明字典](http://down.40huo.cn/wordlist/wordlist.txt.gz)
79 |
80 | ## 源码泄露
81 |
82 | * [Seay - SVN 源码泄露利用工具](http://down.40huo.cn/web/Seay-Svn%E6%BA%90%E4%BB%A3%E7%A0%81%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8%E5%B7%A5%E5%85%B72.0.zip)
83 |
84 | * [Githack](https://github.com/lijiejie/GitHack)
85 |
86 | > **用法示例**
87 | >
88 | > ```
89 | > GitHack.py http://www.openssl.org/.git/
90 | > ```
91 |
92 | [截至 2016 年 12 月 27 日 master 分支打包](http://down.40huo.cn/web/GitHack-master.zip)
93 |
94 | ## 日志分析
95 |
96 | * [LogForensics](https://github.com/xti9er/LogForensics)
97 |
98 | 日志分析 Perl 脚本,使用方法:
99 |
100 | ```shell
101 | Perl LogForensics.pl -file logfile -websvr (nginx|httpd) [-ip ip(ip,ip,ip)|-url url(url,url,url)]
102 | ```
103 |
104 | `file` :日志文件路径
105 |
106 | `websvr` :日志类型
107 |
108 | `ip` :起始调查 ip 或 ip 列表,以逗号分割
109 |
110 | `url` :起始调查 cgi 链接或链接列表,以逗号分割
111 |
112 | * [ngxtop](https://github.com/lebinh/ngxtop)
113 |
114 | > real-time metrics for nginx server (and others)
115 |
116 | 安装:`pip install ngxtop`
117 |
118 | 示例:
119 |
120 | ```shell
121 | ngxtop top remote_addr # View top source IPs of clients
122 | ngxtop -i 'status >= 400' print request status http_referer # List 4xx or 5xx responses together with HTTP referer
123 | tail -f /var/log/apache2/access.log | ngxtop -f common # Parse apache log from remote server with common format
124 | ```
125 |
126 | ## 内网
127 |
128 | - [Termite](http://rootkiter.com/Termite/)
129 |
130 | 跳板机管理工具。[下载](http://pan.baidu.com/s/1pLUB7ar)
131 |
132 | > 1. 以服务模式启动一个 agent 服务。
133 | >
134 | > ```shell
135 | > $ ./agent -l p 8888
136 | > ```
137 | >
138 | > 2. 令管理端连接到 agent 并对 agent 进行管理。
139 | >
140 | > ```shell
141 | > $ ./admin -c 127.0.0.1 -p 8888
142 | > ```
143 | >
144 | > 3. 此时,admin 端会得到一个内置的 shell,输入 help 指令可以得到帮助信息。
145 | >
146 | > ```shell
147 | > >> help
148 | > ```
149 | >
150 | > 4. 通过 show 指令可以得到当前 agent 的拓扑情况。
151 | >
152 | > ```shell
153 | > >> show
154 | > 0M
155 | > +-- 1M
156 | > 由于当前拓扑中只有一个agent,所以展示结果只有 1M ,
157 | > 其中1 为节点的ID号,
158 | > M为MacOS系统的简写,Linux为L,Windows简写为W。
159 | > ```
160 | >
161 | > 5. 将新 agent 加入当前拓扑。
162 | >
163 | > ```shell
164 | > ./agent -c 127.0.0.1 -p 8888
165 | > ```
166 | >
167 | > 6. 此时 show 指令将得到如下效果。
168 | >
169 | > ```shell
170 | > 0M
171 | > +-- 1M
172 | > | +-- 2M
173 | > 这表明,当前拓扑中有两个节点,其中由于2节点需要通过1节点才能访问,所以下挂在1节点下方。
174 | > ```
175 | >
176 | > 7. 在 2 节点开启 socks 代理,并绑定在本地端口
177 | >
178 | > ```shell
179 | > >> goto 2
180 | > 将当前被管理节点切换为 2 号节点。
181 | > >> socks 1080
182 | > 此时,本地1080 端口会启动个监听服务,而服务提供者为2号节点。
183 | > ```
184 | >
185 | > 8. 在 1 号节点开启一个 shell 并绑定到本地端口
186 | >
187 | > ```shell
188 | > >> goto 1
189 | > >> shell 7777
190 | > 此时,通过nc本地的 7777 端口,就可以得到一个 1 节点提供的 shell.
191 | > ```
192 | >
193 | > 9. 将远程的文件下载至本地
194 | >
195 | > ```shell
196 | > >> goto 1
197 | > >> downfile 1.txt 2.txt
198 | > 将1 节点,目录下的 1.txt 下载至本地,并命名为2.txt
199 | > ```
200 | >
201 | > 10. 上传文件至远程节点
202 | >
203 | > ```shell
204 | > >> goto 2
205 | > >> upfile 2.txt 3.txt
206 | > 将本地的 2.txt 上传至 2号节点的目录,并命名为3.txt
207 | > ```
208 | >
209 | > 11. 端口转接
210 | >
211 | > ```shell
212 | > >> goto 2
213 | > >> lcxtran 3388 10.0.0.1 3389
214 | > 以2号节点为跳板,将 10.0.0.1 的 3389 端口映射至本地的 3388 端口
215 | > ```
216 | >
217 | > 12. 更多支持
218 | >
219 | > ```
220 | > http://rootkiter.com/toolvideo/toolmp4/1maintalk.mp4
221 | > http://rootkiter.com/toolvideo/toolmp4/2socks.mp4
222 | > http://rootkiter.com/toolvideo/toolmp4/3lcxtran.mp4
223 | > http://rootkiter.com/toolvideo/toolmp4/4shell.mp4
224 | > http://rootkiter.com/toolvideo/toolmp4/5file.mp4
225 | > ```
226 |
227 |
--------------------------------------------------------------------------------
/docs/web-tools/wireshark.md:
--------------------------------------------------------------------------------
1 | wireshark
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/PE/die.md:
--------------------------------------------------------------------------------
1 | die
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/PE/exeinfo.md:
--------------------------------------------------------------------------------
1 | exeinfo
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/PE/importrec.md:
--------------------------------------------------------------------------------
1 | ImportREC
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/PE/peid.md:
--------------------------------------------------------------------------------
1 | peid
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/debugger/cheat_engine.md:
--------------------------------------------------------------------------------
1 | chear_engine
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/debugger/immunity_debugger.md:
--------------------------------------------------------------------------------
1 | immunity
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/debugger/ollydbg.md:
--------------------------------------------------------------------------------
1 | ollydbg
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/debugger/windbg.md:
--------------------------------------------------------------------------------
1 | windbg
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/debugger/x32_x64_debugger.md:
--------------------------------------------------------------------------------
1 | x32_x64_debugger
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/disassembler_and_decomplier/hopper.md:
--------------------------------------------------------------------------------
1 | hopper
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/disassembler_and_decomplier/ida.md:
--------------------------------------------------------------------------------
1 | ida
2 |
--------------------------------------------------------------------------------
/docs/windows-binary-related/disassembler_and_decomplier/radare2_and_cutter.md:
--------------------------------------------------------------------------------
1 | radare2_and_cutter
2 |
--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
1 | # Project Information
2 | site_name: CTF Tools
3 | site_description: CTF 军火库
4 | site_author: CTF Wiki Team
5 | site_url: https://ctf-wiki.github.io/ctf-tools/
6 |
7 | # Repository
8 | repo_name: 'ctf-wiki/ctf-tools'
9 | repo_url: 'https://github.com/ctf-wiki/ctf-tools'
10 | edit_uri: 'blob/master/docs/'
11 |
12 | # Copyright
13 | copyright: 'Copyright © 2016 - 2020 CTF Wiki Team'
14 |
15 | # Contents
16 | nav:
17 | - CTF Tools:
18 | - Getting started 开始使用: index.md
19 | - Collections 工具合集: collections.md
20 | - Environment 环境配置: environment.md
21 | - Papers 会议: papers.md
22 | - Misc 杂项:
23 | - 基本工具: misc.md
24 | - Crypto:
25 | - 基本工具: crypto.md
26 | - Web Tools:
27 | - Basic Tools:
28 | - Wireshark: web-tools/wireshark.md
29 | - Burp Suite: web-tools/burpsuite.md
30 | - Fiddler: web-tools/fiddle.md
31 | - Web 网站应用: web-tools/web.md
32 | - Reverse 逆向工程: reverse.md
33 | - Binary Core Tools:
34 | - File Structure:
35 | - 010 Editor: binary-core-tools/file_structure/010editor.md
36 | - Debugger:
37 | - IDA: binary-core-tools/debugger/ida.md
38 | - Instrumentation:
39 | - Intel pin: binary-core-tools/instrumentation/intel_pin.md
40 | - Virtualization:
41 | - qemu:
42 | - qemu 介绍: binary-core-tools/virtualization/qemu/qemu-introduction.md
43 | - qemu 安装与调试: binary-core-tools/virtualization/qemu/qemu-install-and-debug.md
44 | - qemu 细节: binary-core-tools/virtualization/qemu/qemu-internals.md
45 | - Windows Binary:
46 | - Disassembler and Decomplier:
47 | - IDA: windows-binary-related/disassembler_and_decomplier/ida.md
48 | - Radare2/Cutter: windows-binary-related/disassembler_and_decomplier/radare2_and_cutter.md
49 | - Hopper: windows-binary-related/disassembler_and_decomplier/hopper.md
50 | - Debugger:
51 | - OllyDbg: windows-binary-related/debugger/ollydbg.md
52 | - WinDbg: windows-binary-related/debugger/windbg.md
53 | - x32/x64 Debugger: windows-binary-related/debugger/x32_x64_debugger.md
54 | - Immunity Debugger: windows-binary-related/debugger/immunity_debugger.md
55 | - Cheat Engine: windows-binary-related/debugger/cheat_engine.md
56 | - PE工具类:
57 | - ExeInfo: windows-binary-related/PE/exeinfo.md
58 | - PEiD: windows-binary-related/PE/importrec.md
59 | - DIE: unfinished.md
60 | - ImportREC: unfinished.md
61 | - Lord PE: unfinished.md
62 | - Stud_PE: unfinished.md
63 | - .NET类:
64 | - dnSpy: unfinished.md
65 | - de4dot: unfinished.md
66 | - 系统工具:
67 | - procexp: unfinished.md
68 | - procmon: unfinished.md
69 | - Pwn 二进制漏洞挖掘: pwn.md
70 | - Linux Binary:
71 | - Basic Tools:
72 | - gdb, 以及各种插件: unfinished.md
73 | - pwntools: unfinished.md
74 | - linux-inject: unfinished.md
75 | - Android:
76 | - 开发:
77 | - Android Studio: unfinished.md
78 | - DDMS: unfinished.md
79 | - 基本工具:
80 | - Android 逆向助手/Android Crack Tool: unfinished.md
81 | - 反编译:
82 | - jadx: unfinished.md
83 | - GDA: unfinished.md
84 | - jeb: unfinished.md
85 | - 调试:
86 | - Android Studio 调试 Smali: unfinished.md
87 | - IDA 调试 So: unfinished.md
88 | - 脱壳工具:
89 | - ZjDroid: unfinished.md
90 | - 插桩: unfinished.md
91 | - Hook:
92 | - Xposed: unfinished.md
93 | - Frida: unfinished.md
94 |
95 |
96 | # Theme
97 | theme:
98 | name: 'material'
99 | language: 'zh'
100 | palette:
101 | primary: 'white'
102 | accent: 'red'
103 | logo: '_static/img/favicon.png'
104 | favicon: '_static/img/favicon.png'
105 | feature:
106 | tabs: true
107 | font:
108 | text: 'Source Sans Pro'
109 | code: 'Source Code Pro'
110 |
111 | # Customization
112 | extra:
113 | search:
114 | language: 'jp'
115 |
116 | extra_javascript:
117 | - '_static/js/extra.js'
118 | - 'https://cdn.bootcss.com/mathjax/2.7.2/MathJax.js?config=TeX-MML-AM_CHTML'
119 |
120 | # Extensions
121 | markdown_extensions:
122 | - admonition
123 | - codehilite:
124 | guess_lang: false
125 | - def_list
126 | - footnotes
127 | - meta
128 | - toc:
129 | permalink: true
130 | - pymdownx.arithmatex
131 | - pymdownx.caret
132 | - pymdownx.critic
133 | - pymdownx.details
134 | - pymdownx.emoji:
135 | emoji_generator: !!python/name:pymdownx.emoji.to_svg
136 | - pymdownx.inlinehilite
137 | - pymdownx.keys
138 | - pymdownx.magiclink
139 | - pymdownx.mark
140 | - pymdownx.smartsymbols
141 | - pymdownx.superfences
142 | - pymdownx.tasklist:
143 | custom_checkbox: true
144 | - pymdownx.tilde
145 |
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | Markdown
2 | mkdocs
3 | mkdocs-material
4 | pymdown-extensions
--------------------------------------------------------------------------------
/runtime.txt:
--------------------------------------------------------------------------------
1 | 3.6
--------------------------------------------------------------------------------