├── README.md ├── bloat-it.sh ├── clean-it.sh ├── decompiler-alternatives ├── java-decompile-candle.sh ├── java-decompile-cfr.sh ├── java-decompile-jad.sh ├── java-decompile-jdgui-applescript.sh ├── java-decompile-jdgui-interactive.sh ├── java-decompile-jdgui-interactive2.sh ├── java-decompile-jdgui-jdcore.sh ├── java-decompile-krakatau.sh └── java-decompile-procyon.sh ├── diff-it.sh ├── extract-it.sh ├── find-it.sh ├── grep-it.sh ├── java-decompile.sh ├── main.sh ├── testing ├── main-test.sh ├── ripgrep-test.txt └── tests │ ├── bloat-test │ └── test.zip │ ├── decompile-test │ ├── src │ │ ├── HelloWorld.class │ │ ├── HelloWorld.java │ │ └── run.sh │ ├── test1 │ │ └── HelloWorld.jar │ ├── test2 │ │ └── HelloWorld.war │ └── test3 │ │ └── HelloWorld.class │ ├── diff-test │ ├── new │ │ ├── abc.txt │ │ ├── def.txt │ │ └── new.txt │ └── old │ │ ├── abc.txt │ │ ├── def.txt │ │ └── old.txt │ └── grep-test │ └── file.txt └── visualize-it.sh /README.md: -------------------------------------------------------------------------------- 1 | CRASS 2 | ============= 3 | 4 | The "code review audit script scanner" (CRASS) started as a source code grep-er with a set of selected high-potential strings that may result in (security) problems. By now it is searching for strings that are interesting for analysts. Simplicity is the key: You don't need anything than a couple of standard *nix command line tools (especially grep), while the project still serves as a "what can go wrong" collection of things we see over the years. 5 | 6 | Use cases 7 | ------- 8 | 9 | I know it is not a real static analysis tool and it's not in any way a replacement for all the tools out there, but it is kind of language independent. It's also not only for source code. It should be helpful in all cases where you have too much data to look through manually during a security review: You customer sent you a zip file with "the new release"/"the code"/"the stuff the developer gave me". Or you achieved to gain access to a server, looted a lot of files and want to look for further problems and sensitive information. You harvested/looted data off a server/client/share/... 10 | 11 | It should usually be used when you don't know where to start or when it's just way too much to go through manually. 12 | 13 | Where to start 14 | ------- 15 | 16 | If you've never used CRASS before you should try grep-it.sh (currently the main focus of the project). Customize the OPTIONS section of the file. Most things should be fine for a first run though. Afterwards try main.sh. 17 | 18 | Contents of the project 19 | ------- 20 | 21 | By now the tool is also able to analyze directories full of unknown things a bit smarter: 22 | 23 | * A script to unpack and make things bigger (bloat-it.sh: unpack zips, decompile jars, etc.) 24 | * A script to clean and make things smaller (clean-it.sh: depending on the use case we want to remove .svn, .git folders, etc.) 25 | * A script to get an overview about existing files (find-it.sh: using the "file" command) 26 | * A script to compare two versions (diff-it.sh: using the "diff" command) 27 | * A script to visualize the contents (visualize-it.sh: maybe show file entropy or such things) 28 | * A script to extract interesting information (extract-it.sh: mainly meta data, for example exif information from pictures) 29 | * A script to find interesting things for security people (grep-it.sh: using the gnu version of "grep"): 30 | 31 | Some characteristics: 32 | * The scripts can be run independently (it is important to keep it this way). main.sh is showing what the idea of using them all together is. 33 | * Tested under MAC OSX (with gnu-grep aka ggrep from mac ports), but got good feedback from Linux users too. You should customize the defined variables on the first few line in each script. 34 | 35 | Contributions 36 | ------- 37 | Are very welcome, either as issue reports or as pull requests. I know the user experience with everything except grep-it.sh is not perfect, hope to find time to change that. What would be helpful too is if you can let me know if one of the regex in grep-it.sh was helpful for a certain purpose, so we can improve the comments. 38 | -------------------------------------------------------------------------------- /bloat-it.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | #NEVER RUN THIS SCRIPT on directories which you haven't backup'ed 13 | #THIS IS A VERY DANGEROUS SCRIPT THAT DELETES 14 | #I REPEAT, THIS IS A VERY DANGEROUS SCRIPT THAT DELETES 15 | 16 | if [ $# -ne 1 ] 17 | then 18 | echo "Usage: `basename $0` dir-to-bloat" 19 | exit 0 20 | fi 21 | 22 | DIR=${1%/} 23 | 24 | echo "#Bloating $DIR" 25 | 26 | UNZIP_CMD="unzip" 27 | JAR_CMD="jar" 28 | TAR_CMD="tar" 29 | GZIP_CMD="gzip" 30 | JAR_DECOMPILE="./java-decompile.sh" 31 | D2J_CMD="d2j-dex2jar" 32 | 33 | if [ -e $JAR_DECOMPILE ] 34 | then 35 | DECOMPILE_POSSIBLE=true 36 | else 37 | echo "###" 38 | echo "# Warning: You haven't chosen how to decompile Java files." 39 | echo "# Please copy one of the java-decompile-*.sh files to java-decompile.sh" 40 | echo "# for now .jar and .war are going to be unpacked, but not decompiled." 41 | echo "###" 42 | DECOMPILE_POSSIBLE=false 43 | fi 44 | 45 | 46 | for loops in 1 2 3 47 | do 48 | echo "#Round $loops" 49 | echo "#unzip all files and delete the zip file afterwards" 50 | find "$DIR" -depth -iname '*.zip' -exec echo '#Unpacking {}' \; -execdir $UNZIP_CMD -n '{}' \; -delete 51 | 52 | echo "#untar all tar files and delete afterwards" 53 | find "$DIR" -depth -iname '*.tar' -exec echo '#Unpacking {}' \; -execdir $TAR_CMD -xf '{}' -C . \; -delete 54 | 55 | echo "#untar all rpm files and delete afterwards" 56 | #RPM can also be unpacked with tar 57 | find "$DIR" -depth -iname '*.rpm' -exec echo '#Unpacking {}' \; -execdir $TAR_CMD -xf '{}' -C . \; -delete 58 | 59 | echo "#ungzip all gz files and delete afterwards" 60 | find "$DIR" -depth -iname '*.gz' -exec echo '#Unpacking {}' \; -execdir $GZIP_CMD -d '{}' \; -delete 61 | 62 | if [ "$DECOMPILE_POSSIBLE" = true ] ; then 63 | #TODO: At the moment jd-core does not support war files, although it's exactly the same as a jar file, see bug report at https://github.com/nviennot/jd-core-java/issues/24 64 | #echo "#decompiling all war files" 65 | ##We need to find ./java-decompile.sh, so no execdir here 66 | ##We don't delete them, as we also need the rest of the (meta) data (not only class files in decompiled form) 67 | #find "$DIR" -depth -iname '*.war' -exec echo '#Decompiling {}' \; -exec $JAR_DECOMPILE '{}' \; 68 | 69 | echo "#decompiling all jar files" 70 | #We need to find ./java-decompile.sh, so no execdir here 71 | #We don't delete them, as we also need the rest of the (meta) data (not only class files in decompiled form) 72 | find "$DIR" -depth -iname '*.jar' -exec echo '#Decompiling {}' \; -exec $JAR_DECOMPILE '{}' \; 73 | 74 | #jd-core does not support decompilation of a single class file directly, it must be in a jar *sigh* 75 | #What this means at the moment is that you have to pack them into a jar file :( 76 | #Side note: You can just pack an *entire* directory into one jar file and jd-core will happily decompile all contained class files 77 | #echo "#handling all class files and delete afterwards" 78 | ##We need to find ./java-decompile.sh, so no execdir here 79 | #find "$DIR" -depth -iname '*.class' -exec echo '#Unpacking/Decompiling {}' \; -exec $JAR_DECOMPILE '{}' \; -delete 80 | fi 81 | 82 | echo "#unpacking all war files and delete afterwards" 83 | find "$DIR" -depth -iname '*.war' -exec echo '#Unpacking {}' \; -execdir $JAR_CMD xf '{}' \; -delete 84 | 85 | echo "#unpacking all jar files and delete afterwards" 86 | find "$DIR" -depth -iname '*.jar' -exec echo '#Unpacking {}' \; -execdir $JAR_CMD xf '{}' \; -delete 87 | 88 | echo "#converting all apk files to jar and delete afterwards" 89 | find "$DIR" -depth -iname '*.apk' -exec echo '#Converting {}' \; -execdir $D2J_CMD '{}' \; -delete 90 | 91 | done 92 | 93 | 94 | 95 | -------------------------------------------------------------------------------- /clean-it.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | 13 | if [ $# -ne 1 ] 14 | then 15 | echo "Usage: `basename $0` dir-to-clean" 16 | exit 0 17 | fi 18 | 19 | DIR=${1%/} 20 | 21 | echo "#Cleaning $DIR" 22 | 23 | echo "Don't care about .svn stuff" 24 | find "$DIR" -type d -iname ".svn" -exec echo '#Removing {}' \; -exec rm -rf {} \; 25 | echo "Don't care about .DS_Store files" 26 | find "$DIR" -type f -name ".DS_Store" -exec echo '#Removing {}' \; -exec rm -rf {} \; 27 | echo "Don't care about files ending in ~" 28 | find "$DIR" -type f -iname "*~" -exec echo '#Removing {}' \; -exec rm -rf {} \; 29 | 30 | echo "Don't care about directories called 'test' as the test code for Java code is located in there" 31 | find "$DIR" -type d -name "test" -exec echo '#Removing {}' \; -exec rm -rf {} \; 32 | echo "Don't care about directories called 'jars' as the jar dependencies for Java code is located in there very often, and we don't want to decompile all dependencies" 33 | find "$DIR" -type d -name "jars" -exec echo '#Removing {}' \; -exec rm -rf {} \; 34 | echo "Don't care about directories called 'samples'" 35 | find "$DIR" -type d -name "samples" -exec echo '#Removing {}' \; -exec rm -rf {} \; 36 | 37 | 38 | echo "Don't care about the gradle-wrapper.jar file (for deployment with gradle)" 39 | find "$DIR" -type f -name "gradle-wrapper.jar" -exec echo '#Removing {}' \; -exec rm -rf {} \; 40 | 41 | 42 | 43 | echo "Don't care about the Android R.java file (it's autogenerated)" 44 | find "$DIR" -type f -name "R.java" -exec echo '#Removing {}' \; -exec rm -rf {} \; 45 | 46 | #delete all empty files and directories 47 | echo "Removing empty files/directories" 48 | find "$DIR" -size 0 -exec echo '#Removing {}' \; -delete 49 | -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-candle.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/decompiler-alternatives/java-decompile-candle.sh -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-cfr.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/decompiler-alternatives/java-decompile-cfr.sh -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-jad.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/decompiler-alternatives/java-decompile-jad.sh -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-jdgui-applescript.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | if [ $# -ne 1 ] 13 | then 14 | echo "Usage: `basename $0` jar-to-decompile" 15 | exit 0 16 | fi 17 | 18 | 19 | echo "#Decompiling $1" 20 | 21 | JAR_FILE="${1%/}" #e.g. /home/Users/user/project/software.jar-jdgui 22 | TARGET_NAME="`basename $1`-jdgui" #e.g. software.jar-jdgui 23 | TARGET_FOLDER="`dirname $1`" #e.g. /home/Users/user/project/ 24 | 25 | JDLOCATION="/Applications/JD-GUI" 26 | 27 | TMP="./decompile-tmp" 28 | mkdir "$TMP" 29 | 30 | 31 | APPLE_SCRIPT="jd-gui-save-all.scpt" #Will be written to tmp 32 | 33 | echo "tell application \"JD-GUI\" 34 | activate 35 | end tell 36 | #delay 1 37 | tell application \"System Events\" 38 | keystroke \"s\" using {command down, option down} 39 | end tell 40 | tell application \"System Events\" 41 | keystroke $TARGET_FOLDER/ 42 | key code 36 #Enter 43 | keystroke $TARGET_NAME 44 | key code 36 #Enter 45 | delay 1 46 | key code 36 #Enter 47 | delay 2 48 | end tell 49 | 50 | repeat while appIsRunning(\"JD-GUI\") 51 | tell application \"System Events\" 52 | keystroke \"q\" using {command down} 53 | end tell 54 | delay 2 55 | end repeat 56 | 57 | on appIsRunning(appName) 58 | tell application \"System Events\" to (name of processes) contains appName 59 | end appIsRunning 60 | " > "$TMP/$APPLE_SCRIPT" 61 | 62 | osacompile -o "$TMP/$APPLE_SCRIPT.scpt" "$TMP/$APPLE_SCRIPT" 63 | 64 | $JDLOCATION $JAR_FILE & 65 | sleep 1 66 | osascript "$TMP/$APPLE_SCRIPT.scpt" 67 | 68 | if [ -e $JAR_FILE.src.zip ] 69 | then 70 | mkdir "$TARGET_FOLDER/$TARGET_NAME" 71 | mv "$TARGET_FOLDER/$TARGET_NAME.zip" "$TARGET_FOLDER/$TARGET_NAME/" 72 | cd "$TARGET_FOLDER/$TARGET_NAME/" 73 | unzip -o -q "$TARGET_NAME.zip" 74 | cd - 75 | rm "$TARGET_FOLDER/$TARGET_NAME.zip" 76 | else 77 | error "The Apple script didn't properly save the zip file." 78 | fi 79 | rm $JAVA_TARGET/$f.dex2jar.jar 80 | else 81 | error "The decompiling with dex2jar did not work for: $f" 82 | error "I don't know why yet, but some apk simply don't work" 83 | error "Ignoring this app" 84 | fi 85 | cd $APKLOCATION 86 | done 87 | 88 | cd $ORGWD 89 | -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-jdgui-interactive.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | if [ $# -ne 1 ] 13 | then 14 | echo "Usage: `basename $0` jar-to-decompile" 15 | exit 0 16 | fi 17 | 18 | 19 | echo "#Decompiling $1" 20 | 21 | JAR_FILE="${1%/}" #e.g. /home/Users/user/project/software.jar-jdgui 22 | TARGET_NAME="`basename $1`-jdgui" #e.g. software.jar-jdgui 23 | TARGET_FOLDER="`dirname $1`" #e.g. /home/Users/user/project/ 24 | 25 | TMP="./decompile-tmp" 26 | mkdir "$TMP" 27 | 28 | APPLE_SCRIPT="jd-gui-save-all.scpt" #Will be written to tmp 29 | 30 | echo "tell application \"JD-GUI\" 31 | activate 32 | end tell 33 | #delay 1 34 | tell application \"System Events\" 35 | keystroke \"s\" using {command down, option down} 36 | end tell 37 | tell application \"System Events\" 38 | keystroke $TARGET_FOLDER/ 39 | key code 36 #Enter 40 | delay 1 41 | key code 36 #Enter 42 | delay 2 43 | end tell 44 | 45 | repeat while appIsRunning(\"JD-GUI\") 46 | tell application \"System Events\" 47 | keystroke \"q\" using {command down} 48 | end tell 49 | delay 2 50 | end repeat 51 | 52 | on appIsRunning(appName) 53 | tell application \"System Events\" to (name of processes) contains appName 54 | end appIsRunning 55 | " > "$TMP/$APPLE_SCRIPT" 56 | 57 | 58 | 59 | #Preparing for disassembling 60 | _classpath="" 61 | for k in $DEX2JARLOCATION/lib/*.jar 62 | do 63 | _classpath="${_classpath}:${k}" 64 | done 65 | DEX2JAR="java -Xms512m -Xmx1024m -classpath ${_classpath} com.googlecode.dex2jar.v3.Main" 66 | 67 | 68 | #Look for the files to decompile/dissassemble 69 | cd $APKLOCATION 70 | echo $APKLOCATION 71 | FILES="`ls *.apk`" 72 | 73 | if [ -e $SMALI_TARGET ] 74 | then 75 | fatalError "Please remove $SMALI_TARGET first!" 76 | else 77 | mkdir $SMALI_TARGET 78 | fi 79 | 80 | if [ -e $JAVA_TARGET ] 81 | then 82 | fatalError "Please remove $JAVA_TARGET first!" 83 | else 84 | mkdir $JAVA_TARGET 85 | fi 86 | 87 | info "Close all JD-GUI windows NOW! Then remove your hands from the keyboard and mouse and don't touch it anymore" 88 | sleep 5 89 | 90 | for f in $FILES 91 | do 92 | info "Processing $f file..." 93 | info "Disassembling (to smali)..." 94 | $APKTOOLSTART d $f $SMALI_TARGET/$f-source 95 | 96 | info "Decompiling (to java)..." 97 | 98 | cd $DEX2JARLOCATION 99 | $DEX2JAR $APKLOCATION/$f 100 | if [ -e $APKLOCATION/$f.dex2jar.jar ] 101 | then 102 | mv $APKLOCATION/$f.dex2jar.jar $JAVA_TARGET/ 103 | cd $JAVA_TARGET/ 104 | $JDLOCATION $f.dex2jar.jar & 105 | sleep 1 106 | osascript $APPLE_SCRIPT 107 | if [ -e $JD_GUI_SAVE_LOCATION/$f.dex2jar.src.zip ] 108 | then 109 | mkdir $JAVA_TARGET/$f 110 | mv $JD_GUI_SAVE_LOCATION/$f.dex2jar.src.zip $JAVA_TARGET/$f/ 111 | cd $JAVA_TARGET/$f/ 112 | unzip -o -q $f.dex2jar.src.zip 113 | rm $f.dex2jar.src.zip 114 | else 115 | error "The Apple script didn't properly save the zip file." 116 | fi 117 | rm $JAVA_TARGET/$f.dex2jar.jar 118 | else 119 | error "The decompiling with dex2jar did not work for: $f" 120 | error "I don't know why yet, but some apk simply don't work" 121 | error "Ignoring this app" 122 | fi 123 | cd $APKLOCATION 124 | done 125 | 126 | cd $ORGWD 127 | -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-jdgui-interactive2.sh: -------------------------------------------------------------------------------- 1 | 2 | function dissassemlbeAndDecompileAndroidApps() 3 | { 4 | #Configurable Parameters 5 | APKLOCATION=$1 #android-apps - where the APK files are stored 6 | APPLE_SCRIPT=$2 #jd-gui-save-all.scpt - Location of the apple script to do automatic source saving in JD-GUI 7 | JD_GUI_SAVE_LOCATION=$3 # /opt - Where the apple script with JD-GUI is going to save the zip files with the java sources 8 | 9 | #The apple script for JD-Gui could look for example as following: 10 | # tell application "JD-GUI" 11 | # activate 12 | # end tell 13 | # #delay 1 14 | # tell application "System Events" 15 | # keystroke "s" using {command down, option down} 16 | # end tell 17 | # tell application "System Events" 18 | # keystroke tab 19 | # keystroke tab 20 | # keystroke tab 21 | # key code 125 #Down 22 | # key code 125 #Down 23 | # key code 125 #Down 24 | # key code 125 #Down 25 | # key code 125 #Down 26 | # key code 36 #Enter 27 | # delay 1 28 | # key code 36 #Enter 29 | # delay 2 30 | # end tell 31 | # 32 | # repeat while appIsRunning("JD-GUI") 33 | # tell application "System Events" 34 | # keystroke "q" using {command down} 35 | # end tell 36 | # delay 2 37 | # end repeat 38 | # 39 | # on appIsRunning(appName) 40 | # tell application "System Events" to (name of processes) contains appName 41 | # end appIsRunning 42 | 43 | ORGWD=`pwd` 44 | #Decompiling 45 | JAVA_TARGET=$TARGETPATH/java-new #A folder to store the java code (should not exist) 46 | #Disassembling 47 | SMALI_TARGET=$TARGETPATH/smali-new #A temporary folder 48 | 49 | 50 | #Preparing for disassembling 51 | _classpath="" 52 | for k in $DEX2JARLOCATION/lib/*.jar 53 | do 54 | _classpath="${_classpath}:${k}" 55 | done 56 | DEX2JAR="java -Xms512m -Xmx1024m -classpath ${_classpath} com.googlecode.dex2jar.v3.Main" 57 | 58 | 59 | #Look for the files to decompile/dissassemble 60 | cd $APKLOCATION 61 | echo $APKLOCATION 62 | FILES="`ls *.apk`" 63 | 64 | if [ -e $SMALI_TARGET ] 65 | then 66 | fatalError "Please remove $SMALI_TARGET first!" 67 | else 68 | mkdir $SMALI_TARGET 69 | fi 70 | 71 | if [ -e $JAVA_TARGET ] 72 | then 73 | fatalError "Please remove $JAVA_TARGET first!" 74 | else 75 | mkdir $JAVA_TARGET 76 | fi 77 | 78 | info "Close all JD-GUI windows NOW! Then remove your hands from the keyboard and mouse and don't touch it anymore" 79 | sleep 5 80 | 81 | for f in $FILES 82 | do 83 | info "Processing $f file..." 84 | info "Disassembling (to smali)..." 85 | $APKTOOLSTART d $f $SMALI_TARGET/$f-source 86 | 87 | info "Decompiling (to java)..." 88 | 89 | cd $DEX2JARLOCATION 90 | $DEX2JAR $APKLOCATION/$f 91 | if [ -e $APKLOCATION/$f.dex2jar.jar ] 92 | then 93 | mv $APKLOCATION/$f.dex2jar.jar $JAVA_TARGET/ 94 | cd $JAVA_TARGET/ 95 | $JDLOCATION $f.dex2jar.jar & 96 | sleep 1 97 | osascript $APPLE_SCRIPT 98 | if [ -e $JD_GUI_SAVE_LOCATION/$f.dex2jar.src.zip ] 99 | then 100 | mkdir $JAVA_TARGET/$f 101 | mv $JD_GUI_SAVE_LOCATION/$f.dex2jar.src.zip $JAVA_TARGET/$f/ 102 | cd $JAVA_TARGET/$f/ 103 | unzip -o -q $f.dex2jar.src.zip 104 | rm $f.dex2jar.src.zip 105 | else 106 | error "The Apple script didn't properly save the zip file." 107 | fi 108 | rm $JAVA_TARGET/$f.dex2jar.jar 109 | else 110 | error "The decompiling with dex2jar did not work for: $f" 111 | error "I don't know why yet, but some apk simply don't work" 112 | error "Ignoring this app" 113 | fi 114 | cd $APKLOCATION 115 | done 116 | 117 | cd $ORGWD 118 | 119 | } -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-jdgui-jdcore.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | if [ $# -ne 1 ] 13 | then 14 | echo "Usage: `basename $0` /path/to/jar/to/decompile.jar" 15 | exit 0 16 | fi 17 | 18 | JD_CORE="/opt/jd-core/jd-core.jar" 19 | 20 | if [ ! -f "$JD_CORE" ] 21 | then 22 | echo "Didn't find jd-core.jar in $JD_CORE, is it really there? Please make sure you specify the jd-core.jar location or configure other decompiler script." 23 | exit 1 24 | fi 25 | 26 | echo "#Decompiling $1" 27 | 28 | JAR_FILE="$1" #e.g. /home/Users/user/project/software.jar 29 | TARGET_FOLDER="`dirname $1`/" #e.g. /home/Users/user/project/ 30 | 31 | java -jar "$JD_CORE" "$JAR_FILE" "$TARGET_FOLDER" 32 | 33 | -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-krakatau.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/decompiler-alternatives/java-decompile-krakatau.sh -------------------------------------------------------------------------------- /decompiler-alternatives/java-decompile-procyon.sh: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | #Probably not the best choice for <= java 1.4 5 | #More information: https://bitbucket.org/mstrobel/procyon/wiki/Java%20Decompiler 6 | 7 | 8 | #procyon needs Java 1.7 9 | #If you are on a Mac, CAREFULLY read http://docs.oracle.com/javase/7/docs/webnotes/install/mac/mac-install-faq.html 10 | 11 | 12 | -------------------------------------------------------------------------------- /diff-it.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | TARGET="./diff-output" 13 | 14 | if [ $# -lt 2 ] 15 | then 16 | echo "Usage: `basename $0` old-dir new-dir [output-dir]" 17 | exit 0 18 | fi 19 | 20 | if [ $# -eq 3 ] 21 | then 22 | #argument without last / 23 | TARGET=${3%/} 24 | fi 25 | 26 | #remove last / of arguments 27 | ONE=${1%/} 28 | TWO=${2%/} 29 | CUR="`pwd`" 30 | 31 | echo "#Diffing $1 and $2" 32 | 33 | 34 | mkdir "$TARGET" 35 | 36 | cd "$ONE" 37 | find . -type f -print | sort -u > "$CUR/$TARGET/file-list-ONE.txt" 38 | cd "$CUR" #TWO can be relative, so go back first 39 | cd "$TWO" 40 | find . -type f -print | sort -u > "$CUR/$TARGET/file-list-TWO.txt" 41 | cd "$CUR" 42 | 43 | #Summary: Which files differ at all? 44 | diff -E -b -w -r -q "./$ONE" "./$TWO" > "$TARGET/different-files.txt" 45 | 46 | #Summary: Which files are new/were deleted 47 | echo "Checking which files differ, were added or removed" 48 | comm -23 "$TARGET/file-list-ONE.txt" "$TARGET/file-list-TWO.txt" > "$TARGET/removed-files.txt" 49 | comm -13 "$TARGET/file-list-ONE.txt" "$TARGET/file-list-TWO.txt" > "$TARGET/new-files.txt" 50 | comm -12 "$TARGET/file-list-ONE.txt" "$TARGET/file-list-TWO.txt" > "$TARGET/common-files.txt" 51 | 52 | #The details of all diffs: This is what we should normally check... 53 | echo "Producing the main diff" 54 | diff -E -b -w -r "./$ONE" "./$TWO" > "$TARGET/diff-everything.txt" 55 | 56 | #do it separately for each file extension, so if we're in a hurry, we can e.g. only look at .java files 57 | #these types will generate a diff file each 58 | types="java jsp m h properties xml c cpp" 59 | for t in $types; do 60 | grep -E "\.$t$" "$TARGET/common-files.txt" > "$TARGET/common-$t.txt" 61 | done 62 | #getting files with other extensions than $types, will create one file for all of them 63 | grep -vE ".*\.(`echo $types | tr " " "|"`)$" "$TARGET/common-files.txt" > "$TARGET/common-others.txt" 64 | 65 | types="$types others" 66 | for t in $types; do 67 | #generate the diff 68 | echo "Diffing $t files" 69 | #uncomment to generate the two-sided comparison - WARN: it's not possible to print filenames and line numbers this way 70 | #cat common-$t.txt | xargs -I {} -n1 diff -E -b -w -y --strip-trailing-cr --suppress-common-lines -W 200 --tabsize=4 -t $ONE/{} $TWO/{} > diff-$t.txt 71 | cat "$TARGET/common-$t.txt" | xargs -I {} diff -E -b -w -u "$ONE/{}" "$TWO/{}" > "$TARGET/diff-$t.txt" 72 | done 73 | 74 | 75 | echo "Cleaning up, removing empty files in $TARGET" 76 | find $TARGET -type f -size 0 -maxdepth 1 -delete -------------------------------------------------------------------------------- /extract-it.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # January 2022 10 | # ---------------------------------------------------------------------------- 11 | 12 | 13 | if [ $# -ne 1 ] 14 | then 15 | echo "Usage: `basename $0` dir-to-extract" 16 | exit 0 17 | fi 18 | 19 | DIR=${1%/} 20 | 21 | TARGET="./extract-output" 22 | if [ $# -eq 2 ] 23 | then 24 | #argument without last / 25 | TARGET=${2%/} 26 | fi 27 | mkdir "$TARGET" 28 | 29 | 30 | echo "#Extracting $DIR" 31 | 32 | GREP_COMMAND="/opt/local/bin/ggrep" 33 | if [ ! -f "$GREP_COMMAND" ] 34 | then 35 | GREP_COMMAND="ggrep" 36 | if ! command -v $GREP_COMMAND &> /dev/null 37 | then 38 | GREP_COMMAND="grep" 39 | if ! command -v $GREP_COMMAND &> /dev/null 40 | then 41 | echo "Could not find a usable 'grep'" 42 | exit 1 43 | fi 44 | fi 45 | fi 46 | 47 | echo "Extracting all Java @JsonProperty annotations to feed them into the ParamMiner Portswigger Burp extension" 48 | $GREP_COMMAND -roP '@JsonProperty\(\K[^)]{1,300}' "$DIR"|cut -d ":" -f 2|sort -u > "$TARGET/java_json_property_bindings.txt" 49 | 50 | echo "Extract all Java Spring framework getHeader for example for org.springframework.web.context.request.NativeWebRequest" 51 | $GREP_COMMAND -roP '\.getHeader\(\K[^)]{1,300}' "$DIR"|cut -d ":" -f 2|sort -u > "$TARGET/java_spring_getHeader.txt" 52 | 53 | echo "Extract all occurences of .equals() and .equalsIgnoreCase(). Then compare if the same parameter name is used in both." 54 | echo "This possibly indicates that a certain filter/check that is done with .equals() can later be circumvented with different capitalization" 55 | 56 | $GREP_COMMAND -roP '\.equals\(\K[^)]{1,300}' "$DIR"|cut -d ":" -f 2|sort -u > "$TARGET/equals_parameters.txt" 57 | $GREP_COMMAND -roP '\.equalsIgnoreCase\(\K[^)]{1,300}' "$DIR"|cut -d ":" -f 2|sort -u > "$TARGET/equalsIgnoreCase_parameters.txt" 58 | OUTFILE="equals_parameters_to_check_for_filter_bypass_via_casing.txt" 59 | if [ "$WRITE_COMMENT" = "true" ]; then 60 | echo "# The following parameters are passed to .equals() *and* to .equalsIgnoreCase(). This possibly indicates that a certain filter/check that is done with .equals() can later be circumvented with different capitalization because that's accepted." >> "$TARGET/$OUTFILE" 61 | fi 62 | # comm -1 -2 "$TARGET/equals_parameters.txt" "$TARGET/equalsIgnoreCase_parameters.txt" > "$TARGET/equals_parameters_to_check_for_filter_bypass_via_casing.txt" 63 | # common lines in two files = grep -F -x -f 64 | $GREP_COMMAND -F -x -f "$TARGET/equals_parameters.txt" "$TARGET/equalsIgnoreCase_parameters.txt" > "$TARGET/$OUTFILE" 65 | rm "$TARGET/equals_parameters.txt" "$TARGET/equalsIgnoreCase_parameters.txt" 66 | 67 | #TODO: E.g. extract metadata out of word files and images 68 | #for example for images with ImageMagick: 69 | #identify -verbose image.jpg 70 | #exiftool-5.12 is another option 71 | #e.g. make longitude/latitude link on google maps 72 | -------------------------------------------------------------------------------- /find-it.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # A simple file identifier for code, loot, IT-tech-stuff-the-customer-throws-at-you. 4 | # Tries to find IT security and privacy related stuff. 5 | # For pentesters. 6 | # 7 | # ---------------------------------------------------------------------------- 8 | # "THE BEER-WARE LICENSE" (Revision 42): 9 | # wrote this file. As long as you retain this notice you 10 | # can do whatever you want with this stuff. If we meet some day, and you think 11 | # this stuff is worth it, you can buy me a beer in return 12 | # floyd http://floyd.ch @floyd_ch 13 | # July 2013 14 | # ---------------------------------------------------------------------------- 15 | # 16 | # Requirements: 17 | # - find command. Reason: Get all files and exec file with them 18 | # - file command. Reason: To identify file types 19 | # - grep command. Reason: We need to filter certain results 20 | # - sort command. Reason: Uniquely sorted (if you don't have sort -u you can use uniq as well) 21 | # - mkdir command. Reason: we need to make the $TARGET directory 22 | # 23 | # Howto: 24 | # - Customize the "OPTIONS" section below to your needs 25 | # - Copy this file to the parent directory which you want to find 26 | # - run it like this: ./find-it.sh ./directory-to-find-through/ 27 | # 28 | # Output: 29 | # You can check the output with any text viewer, "less -R ./find-output/*" works fine 30 | # Output files have the following naming conventions (separated by underscore): 31 | # - priority: 1-5, where 1 is more interesting (low false positive rate, certainty of "vulnerability") and 5 is only "you might want to have a look" 32 | # - section: eg. by file extension, or using the "file" command 33 | # - name of what we looked for 34 | 35 | ### 36 | #OPTIONS - please customize 37 | ### 38 | FIND_COMMAND="find" 39 | FILE_COMMAND="file" 40 | GREP_COMMAND="grep" 41 | SORT_COMMAND="sort" 42 | CUT_COMMAND="cut" 43 | ADDITIONAL_FIND_ARGUMENTS="" 44 | #Where to put the output (if not otherwise specified on command line) 45 | TARGET="./find-output" 46 | #Write the comment to each file at the beginning 47 | WRITE_COMMENT="true" 48 | 49 | #In my opinion I would always leave all the options below here on true, 50 | #I would only change it if the script needs very long, you are looking through a lot of stuff 51 | #or if you have any other performance issues with this script. 52 | 53 | #try to find file types according to the "file" command 54 | DO_FILE_COMMAND="true" 55 | 56 | #try to find file types according to their file extension 57 | DO_FILEEXTENSION="true" 58 | 59 | #try to find files according to known interesting file names 60 | DO_FILE_NAME="true" 61 | 62 | ### 63 | #END OPTIONS 64 | #Normally you don't have to change anything below here... 65 | ### 66 | 67 | ### 68 | #CODE SECTION 69 | #As a user of this script you shouldn't need to care about the stuff that is coming down here... 70 | ### 71 | 72 | # Conventions if you add new searches: 73 | # - First think about which sections you want to put a new rule 74 | # - Most of the time we use find not with regex but with the simple pattern of -iname (from the find man): 75 | # -name pattern 76 | # True if the last component of the pathname being examined matches 77 | # pattern. Special shell pattern matching characters (``['', 78 | # ``]'', ``*'', and ``?'') may be used as part of pattern. These 79 | # characters may be matched explicitly by escaping them with a 80 | # backslash (``\''). 81 | # - If in doubt, prefer to make two searches and output files rather then joining with wildcards. If one produces false positives it is really annoying to search for the true positives of the other. 82 | # - Take care with single/double quoted strings. From the bash manual: 83 | # 3.1.2.2 Single Quotes 84 | # Enclosing characters in single quotes (‘'’) preserves the literal value of each character within the quotes. A single quote may not occur between single quotes, even when preceded by a backslash. 85 | # 3.1.2.3 Double Quotes 86 | # Enclosing characters in double quotes (‘"’) preserves the literal value of all characters within the quotes, with the exception of ‘$’, ‘`’, ‘\’, and, when history expansion is enabled, ‘!’. The characters ‘$’ and ‘`’ retain their special meaning within double quotes (see Shell Expansions). The backslash retains its special meaning only when followed by one of the following characters: ‘$’, ‘`’, ‘"’, ‘\’, or newline. Within double quotes, backslashes that are followed by one of these characters are removed. Backslashes preceding characters without a special meaning are left unmodified. A double quote may be quoted within double quotes by preceding it with a backslash. If enabled, history expansion will be performed unless an ‘!’ appearing in double quotes is escaped using a backslash. The backslash preceding the ‘!’ is not removed. The special parameters ‘*’ and ‘@’ have special meaning when in double quotes (see Shell Parameter Expansion). 87 | # 88 | # TODO: 89 | # - Delete files when find doesn't have a result. Find's exit code can't be used for that :( 90 | # - Find PKCS#12 files and their encryption: find code-from-bitbucket-modified -iname "*.jks" -exec echo % openssl pkcs12 -info -noout -nomacver -passin pass:unknown -in {} \; -exec openssl pkcs12 -info -noout -nomacver -passin pass:unknown -in {} \; 2>&1 |ggrep -v 'PKCS7 Data'|ggrep -v 'Error outputting keys and certificates'| grep -v 'error' 91 | 92 | if [ $# -lt 1 ] 93 | then 94 | echo "Usage: `basename $0` directory-to-grep-through [output-dir]" 95 | exit 0 96 | fi 97 | 98 | if [ "$1" = "." ] 99 | then 100 | echo "You are shooting yourself in the foot. Do not find through . but rather cd into parent directory and mv `basename $0` there." 101 | echo "READ THE HOWTO (3 lines)" 102 | exit 0 103 | fi 104 | 105 | if [ $# -eq 2 ] 106 | then 107 | #argument without last / 108 | TARGET=${2%/} 109 | fi 110 | 111 | #argument without last / 112 | SEARCH_FOLDER=${1%/} 113 | 114 | mkdir "$TARGET" 115 | 116 | echo "Output will be put into this folder: $TARGET" 117 | echo "You are currently finding through folder: $SEARCH_FOLDER" 118 | 119 | if [ "$DO_FILE_COMMAND" = "true" ]; then 120 | 121 | # Attention: This can take a very very long time... 122 | MAIN_OUTFILE="3_file_all_files_listed.txt" 123 | echo "# Info: All files and their type according to the file command" >> $TARGET/$MAIN_OUTFILE 124 | echo "# Filename: $MAIN_OUTFILE" >> "$TARGET/$MAIN_OUTFILE" 125 | echo "# Search: file {}" >> "$TARGET/$MAIN_OUTFILE" 126 | echo "Searching for results for $MAIN_OUTFILE" 127 | $FIND_COMMAND "$SEARCH_FOLDER" -exec $FILE_COMMAND '{}' \; >> $TARGET/$MAIN_OUTFILE 128 | 129 | # ... therefore, at least don't do it again and just work on the above output 130 | OUTFILE="2_file_all_types.txt" 131 | echo "# Info: All types uniquely listed (according to the file command)" >> $TARGET/$OUTFILE 132 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 133 | #echo "# Search: file -b {} | sort -u" >> "$TARGET/$OUTFILE" 134 | echo "# Search: grep -v '^#' $TARGET/$MAIN_OUTFILE | cut -d ':' -f 2- | sort -u" >> "$TARGET/$OUTFILE" 135 | echo "Searching for results for $OUTFILE" 136 | $GREP_COMMAND -v '^#' "$TARGET/$MAIN_OUTFILE" | $CUT_COMMAND -d ":" -f 2- | $SORT_COMMAND -u >> $TARGET/$OUTFILE 137 | 138 | OUTFILE="1_file_dot_net_decompilable_files.txt" 139 | echo "# Info: .NET executable files (and therefore decompilable) according to file command" >> $TARGET/$OUTFILE 140 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 141 | #echo "# Search: file {}|grep -i executable|grep -i '.net'" >> "$TARGET/$OUTFILE" 142 | echo "# Search: grep -v '^#' $TARGET/$MAIN_OUTFILE |grep -i executable|grep -i '.net'" >> "$TARGET/$OUTFILE" 143 | echo "Searching for results for $OUTFILE" 144 | #$FIND_COMMAND "$SEARCH_FOLDER" -exec $FILE_COMMAND '{}' \; | $GREP_COMMAND -i executable | $GREP_COMMAND -i '.net' >> $TARGET/$OUTFILE 145 | $GREP_COMMAND -v '^#' "$TARGET/$MAIN_OUTFILE" | $GREP_COMMAND -i executable | $GREP_COMMAND -i '.net' >> $TARGET/$OUTFILE 146 | 147 | #jars are just zips according to file: Zip archive data, at least v1.0 to extract 148 | #class: compiled Java class data, version 50.0 (Java 1.6) 149 | OUTFILE="1_file_java_decompilable_files.txt" 150 | echo "# Info: Java class files (and therefore decompilable) according to file command, but attention: file detects jar files as zips, so jars are not listed." >> $TARGET/$OUTFILE 151 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 152 | #echo "# Search: file {}|grep -i \"Java class\"" >> "$TARGET/$OUTFILE" 153 | echo "# Search: grep -v '^#' $TARGET/$MAIN_OUTFILE |grep -i \"Java class\"" >> "$TARGET/$OUTFILE" 154 | echo "Searching for results for $OUTFILE" 155 | $GREP_COMMAND -v '^#' "$TARGET/$MAIN_OUTFILE" | $GREP_COMMAND -i "Java class" >> $TARGET/$OUTFILE 156 | 157 | fi 158 | 159 | if [ "$DO_FILEEXTENSION" = "true" ]; then 160 | 161 | OUTFILE="2_find_pfx.txt" 162 | echo "# Info: All pfx files (certificates and private key) according to their file extension" >> $TARGET/$OUTFILE 163 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 164 | echo "# Search: find -iname '*.pfx'" >> "$TARGET/$OUTFILE" 165 | echo "Searching for results for $OUTFILE" 166 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.pfx' >> $TARGET/$OUTFILE 167 | 168 | OUTFILE="2_find_p12.txt" 169 | echo "# Info: All p12 files (certificates and private key) according to their file extension" >> $TARGET/$OUTFILE 170 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 171 | echo "# Search: find -iname '*.p12'" >> "$TARGET/$OUTFILE" 172 | echo "Searching for results for $OUTFILE" 173 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.p12' >> $TARGET/$OUTFILE 174 | 175 | OUTFILE="2_find_pem.txt" 176 | echo "# Info: All pem files (certificates and private key) according to their file extension" >> $TARGET/$OUTFILE 177 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 178 | echo "# Search: find -iname '*.pem'" >> "$TARGET/$OUTFILE" 179 | echo "Searching for results for $OUTFILE" 180 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.pem' >> $TARGET/$OUTFILE 181 | 182 | OUTFILE="2_find_key.txt" 183 | echo "# Info: All key files (private key) according to their file extension" >> $TARGET/$OUTFILE 184 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 185 | echo "# Search: find -iname '*.key'" >> "$TARGET/$OUTFILE" 186 | echo "Searching for results for $OUTFILE" 187 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.key' >> $TARGET/$OUTFILE 188 | 189 | OUTFILE="2_find_htpasswd.txt" 190 | echo "# Info: All htpasswd files (web authorization passwords) according to their file name" >> $TARGET/$OUTFILE 191 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 192 | echo "# Search: find -iname '*htpasswd*'" >> "$TARGET/$OUTFILE" 193 | echo "Searching for results for $OUTFILE" 194 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*htpasswd*' >> $TARGET/$OUTFILE 195 | 196 | OUTFILE="1_find_azure_publishsettings.txt" 197 | echo "# Info: All publishsettings files (Azure settings file) according to their file extension" >> $TARGET/$OUTFILE 198 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 199 | echo "# Search: find -iname '*.publishsettings'" >> "$TARGET/$OUTFILE" 200 | echo "Searching for results for $OUTFILE" 201 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.publishsettings' >> $TARGET/$OUTFILE 202 | 203 | OUTFILE="4_find_class.txt" 204 | echo "# Info: All class files (decompilable!) according to their file extension" >> $TARGET/$OUTFILE 205 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 206 | echo "# Search: find -iname '*.class'" >> "$TARGET/$OUTFILE" 207 | echo "Searching for results for $OUTFILE" 208 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.class' >> $TARGET/$OUTFILE 209 | 210 | OUTFILE="4_find_jar.txt" 211 | echo "# Info: All class files (decompilable!) according to their file extension" >> $TARGET/$OUTFILE 212 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 213 | echo "# Search: find -iname '*.jar'" >> "$TARGET/$OUTFILE" 214 | echo "Searching for results for $OUTFILE" 215 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.jar' >> $TARGET/$OUTFILE 216 | 217 | OUTFILE="4_find_php.txt" 218 | echo "# Info: All php files (cleartext!) according to their file extension (.php .php5 etc.)" >> $TARGET/$OUTFILE 219 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 220 | echo "# Search: find -iname '*.php?'" >> "$TARGET/$OUTFILE" 221 | echo "Searching for results for $OUTFILE" 222 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.php?' >> $TARGET/$OUTFILE 223 | 224 | OUTFILE="3_find_db.txt" 225 | echo "# Info: All sqlite or other database files (cleartext?) according to their file extension (.db)" >> $TARGET/$OUTFILE 226 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 227 | echo "# Search: find -iname '*.db'" >> "$TARGET/$OUTFILE" 228 | echo "Searching for results for $OUTFILE" 229 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.db' >> $TARGET/$OUTFILE 230 | 231 | OUTFILE="3_find_c.txt" 232 | echo "# Info: All c files (cleartext?) according to their file extension (.c)" >> $TARGET/$OUTFILE 233 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 234 | echo "# Search: find -iname '*.c'" >> "$TARGET/$OUTFILE" 235 | echo "Searching for results for $OUTFILE" 236 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.c' >> $TARGET/$OUTFILE 237 | 238 | OUTFILE="5_find_html.txt" 239 | echo "# Info: All html files according to their file extension (.html .htm)" >> $TARGET/$OUTFILE 240 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 241 | echo "# Search: find -iname '*.htm?'" >> "$TARGET/$OUTFILE" 242 | echo "Searching for results for $OUTFILE" 243 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.htm?' >> $TARGET/$OUTFILE 244 | 245 | OUTFILE="5_find_javascript.txt" 246 | echo "# Info: All javascript files according to their file extension (.js)" >> $TARGET/$OUTFILE 247 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 248 | echo "# Search: find -iname '*.js?'" >> "$TARGET/$OUTFILE" 249 | echo "Searching for results for $OUTFILE" 250 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.js?' >> $TARGET/$OUTFILE 251 | 252 | OUTFILE="5_find_log.txt" 253 | echo "# Info: All log files according to their file extension (.log .log1 .log2)" >> $TARGET/$OUTFILE 254 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 255 | echo "# Search: find -iname '*.log?'" >> "$TARGET/$OUTFILE" 256 | echo "Searching for results for $OUTFILE" 257 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*.log?' >> $TARGET/$OUTFILE 258 | 259 | OUTFILE="5_find_all_others.txt" 260 | echo "# Info: All files with file extensions we didn't looked for yet" >> $TARGET/$OUTFILE 261 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 262 | echo "# Search: find | grep -v '.class|.jar|.php|.db|.htm|.js'" >> "$TARGET/$OUTFILE" 263 | echo "Searching for results for $OUTFILE" 264 | $FIND_COMMAND "$SEARCH_FOLDER" | $GREP_COMMAND -v '.pfx|.publishsettings|.class|.jar|.php|.db|.c|.htm|.log|.js' >> $TARGET/$OUTFILE 265 | 266 | fi 267 | 268 | if [ "$DO_FILE_NAME" = "true" ]; then 269 | 270 | OUTFILE="1_filename_web-xml.txt" 271 | echo "# Info: web.xml is the Spring frameworks main mapping XML and important to understand which URLs are mapped to where" >> $TARGET/$OUTFILE 272 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 273 | echo "# Search: find -iname 'web.xml'" >> "$TARGET/$OUTFILE" 274 | echo "Searching for results for $OUTFILE" 275 | $FIND_COMMAND "$SEARCH_FOLDER" -iname 'web.xml' >> $TARGET/$OUTFILE 276 | 277 | OUTFILE="1_filename_commons-collection.txt" 278 | echo "# Info: commons-collection can be used to exploit deserialization issues. Deserialization is something that can result in remote command execution, there are various exploits for such things, see http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ for example" >> $TARGET/$OUTFILE 279 | echo "# Filename: $OUTFILE" >> "$TARGET/$OUTFILE" 280 | echo "# Search: find -iname '*commons*collection*'" >> "$TARGET/$OUTFILE" 281 | echo "Searching for results for $OUTFILE" 282 | $FIND_COMMAND "$SEARCH_FOLDER" -iname '*commons*collection*' >> $TARGET/$OUTFILE 283 | 284 | #TODO filenames: 285 | #wsadmin.properties configuration file of Websphere 286 | 287 | 288 | #TODO: 289 | #random 290 | #sql 291 | #database 292 | #keychain 293 | #shadow 294 | #passwd 295 | #key 296 | #salt 297 | #pass 298 | #secret 299 | #pin 300 | #authorization 301 | #authentication 302 | 303 | 304 | fi 305 | -------------------------------------------------------------------------------- /java-decompile.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | if [ $# -ne 1 ] 13 | then 14 | echo "Usage: `basename $0` /path/to/jar/to/decompile.jar" 15 | exit 0 16 | fi 17 | 18 | JD_CORE="/opt/jd-core-java/build/libs/jd-core-java-1.2.jar" 19 | 20 | if [ ! -f "$JD_CORE" ] 21 | then 22 | echo "Error: Didn't find jd-core.jar in $JD_CORE, is it really there? Please make sure you specify the jd-core.jar location or configure other decompiler script." 23 | exit 1 24 | fi 25 | 26 | echo "#Invoking jd-core with $1" 27 | 28 | JAR_FILE="$1" #e.g. /home/Users/user/project/software.jar 29 | #Unsure if this might be a better idea: 30 | #TARGET_FOLDER="$1-decompiled" 31 | #Pros: all decompiled stuff in separate folder, can't overwrite anything that's already there 32 | #Cons: Have to look through separate folder to search for corresponding .java class, more folders, etc. 33 | TARGET_FOLDER=`dirname "$1"` #e.g. /home/Users/user/project/ 34 | 35 | java -jar "$JD_CORE" "$JAR_FILE" "$TARGET_FOLDER/" 36 | 37 | -------------------------------------------------------------------------------- /main.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # ---------------------------------------------------------------------------- 4 | # "THE BEER-WARE LICENSE" (Revision 42): 5 | # wrote this file. As long as you retain this notice you 6 | # can do whatever you want with this stuff. If we meet some day, and you think 7 | # this stuff is worth it, you can buy me a beer in return 8 | # floyd http://floyd.ch @floyd_ch 9 | # July 2013 10 | # ---------------------------------------------------------------------------- 11 | 12 | if [ $# -eq 1 ]; then 13 | echo "[+] Starting analysis of $1" 14 | 15 | #remove last / of directory arguments 16 | DIR=${1%/} 17 | 18 | #Only use the original directory for find, grep and extract 19 | #Sometimes you might only want to do this (not running bloat and clean): 20 | #echo "[+] Invoking ./find-it.sh \"$DIR\"" 21 | #./find-it.sh "$DIR" 22 | #echo "[+] Invoking ./grep-it.sh \"$DIR\"" 23 | #./grep-it.sh "$DIR" 24 | #echo "[+] Invoking ./extract-it.sh \"$DIR\"" 25 | #./extract-it.sh "$DIR" 26 | 27 | 28 | DIR_MODIFIED="$DIR-modified" 29 | echo "[+] Copying $DIR to $DIR_MODIFIED" 30 | cp -r "$DIR" "$DIR_MODIFIED" 31 | 32 | echo "[+] Invoking ./bloat-it.sh \"$DIR_MODIFIED\"" 33 | ./bloat-it.sh "$DIR_MODIFIED" 34 | echo "[+] Invoking ./clean-it.sh \"$DIR_MODIFIED\"" 35 | ./clean-it.sh "$DIR_MODIFIED" 36 | echo "[+] Invoking ./find-it.sh \"$DIR_MODIFIED\"" 37 | ./find-it.sh "$DIR_MODIFIED" "./find-output-modified" 38 | echo "[+] Invoking ./grep-it.sh \"$DIR_MODIFIED\"" 39 | ./grep-it.sh "$DIR_MODIFIED" "./grep-output-modified" 40 | echo "[+] Invoking ./extract-it.sh \"$DIR_MODIFIED\"" 41 | ./extract-it.sh "$DIR_MODIFIED" "./extract-output-modified" 42 | 43 | echo "[+] You can now start analyzing the '-modified' directories, we're finished with those." 44 | echo "[+] Now also applying to non-modified dir, if you don't get satisfactory result in the modified, look at those results without such a suffix" 45 | echo "[+] Invoking ./find-it.sh \"$DIR\"" 46 | ./find-it.sh "$DIR" 47 | echo "[+] Invoking ./grep-it.sh \"$DIR\"" 48 | ./grep-it.sh "$DIR" 49 | echo "[+] Invoking ./extract-it.sh \"$DIR\"" 50 | ./extract-it.sh "$DIR" 51 | 52 | echo "[+] Ended analysis of $1" 53 | echo "[+] Might be better if you do this manually:" 54 | echo "rm -r \"$DIR_MODIFIED\"" 55 | 56 | 57 | elif [ $# -eq 2 ]; then 58 | echo "[+] Starting analysis of $1 and $2" 59 | 60 | #remove last / of directory arguments 61 | OLD_DIR=${1%/} 62 | NEW_DIR=${2%/} 63 | 64 | OLD_DIR_MODIFIED="$OLD_DIR-for-diff" 65 | NEW_DIR_MODIFIED="$NEW_DIR-for-diff" 66 | 67 | echo "[+] Copying $OLD_DIR to $OLD_DIR_MODIFIED" 68 | cp -r "$OLD_DIR" "$OLD_DIR_MODIFIED" 69 | 70 | echo "[+] Copying $NEW_DIR to $NEW_DIR_MODIFIED" 71 | cp -r "$NEW_DIR" "$NEW_DIR_MODIFIED" 72 | 73 | ./bloat-it.sh "$OLD_DIR_MODIFIED" 74 | ./bloat-it.sh "$NEW_DIR_MODIFIED" 75 | ./clean-it.sh "$OLD_DIR_MODIFIED" 76 | ./clean-it.sh "$NEW_DIR_MODIFIED" 77 | ./diff-it.sh "$OLD_DIR_MODIFIED" "$NEW_DIR_MODIFIED" "./diff-output-modified" 78 | 79 | #Don't run these. Users can invoke main.sh again with one of the folders if they 80 | #would like to find, grep, extract, etc. 81 | #./find-it.sh "$NEW_DIR" 82 | #if you get too much garbage, look into find-it.sh script or use: 83 | #./find-it.sh "$NEW_DIR_MODIFIED" 84 | #./grep-it.sh "$NEW_DIR" 85 | #if you get too much garbage, look into grep-it.sh script or use: 86 | #./grep-it.sh "$NEW_DIR_MODIFIED" 87 | 88 | echo "[+] Might be better if you do this manually:" 89 | echo "rm -r \"$OLD_DIR_MODIFIED\"" 90 | echo "rm -r \"$NEW_DIR_MODIFIED\"" 91 | 92 | echo "We only ran the diff script. If you would like to grep, find, etc. invoke main.sh only with one of the directories." 93 | else 94 | echo "Usage: `basename $0` directory [new-directory]" 95 | echo "If you specify , will be used as the former and diff will be invoked instead of grep, find, etc." 96 | exit 1 97 | fi 98 | 99 | -------------------------------------------------------------------------------- /testing/main-test.sh: -------------------------------------------------------------------------------- 1 | #test the script with the contents of tests/ 2 | 3 | cd .. 4 | 5 | #bloat, clean, grep, find, extract, etc. testing: 6 | cp -r ./testing/tests tests-copy 7 | ./main.sh tests-copy/ 8 | 9 | #diff testing: 10 | ./main.sh tests-copy/diff-test/old/ tests-copy/diff-test/new/ 11 | 12 | rm -r tests-copy 13 | 14 | echo "You want to run this after you are finished:" 15 | echo "rm -rf find-output-modified grep-output-modified diff-output-modified tests-copy-modified" -------------------------------------------------------------------------------- /testing/ripgrep-test.txt: -------------------------------------------------------------------------------- 1 | #Tested the grep-it.sh script with ripgrep compared to gnu grep: 2 | #ripgrep is an alternative for grep https://github.com/BurntSushi/ripgrep that can be used instead 3 | #a couple regex will fail with ripgrep, most will work 4 | #when I last checked two failed, one with ?! (negative look around) and one with argument -o 5 | #Test with some disassembled and decompiled Android apps on a quad core machine: 6 | #gnu grep without BACKGROUND: real 5m25.681s (gnu grep on OSX on 1 core) VS real 2m7.955s (ripgrep on OSX on 4 cores) 7 | #gnu grep with 4 MAX_PROCESSES and BACKGROUND: real 2m18.764s (gnu grep on OSX on 4 cores) VS real 2m7.955s (ripgrep on OSX on 4 cores) 8 | #and that overhead of gnu grep is probably only because we have a sleep 0.25 when BACKGROUND is enabled! 9 | #We could lower that to 0.1 or something, but I'm not convinced it's worth the overhead 10 | #therefore it seems it has only little/no benefit for us 11 | #ripgrep command: 12 | GREP_COMMAND="/opt/ripgrep/target/release/rg" 13 | #ripgrep arguments: 14 | GREP_ARGUMENTS="-uu -n -A 1 -B 3" -------------------------------------------------------------------------------- /testing/tests/bloat-test/test.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/testing/tests/bloat-test/test.zip -------------------------------------------------------------------------------- /testing/tests/decompile-test/src/HelloWorld.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/testing/tests/decompile-test/src/HelloWorld.class -------------------------------------------------------------------------------- /testing/tests/decompile-test/src/HelloWorld.java: -------------------------------------------------------------------------------- 1 | class HelloWorld { 2 | public static void main(String[] a) { 3 | System.out.println("Hello world"); 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /testing/tests/decompile-test/src/run.sh: -------------------------------------------------------------------------------- 1 | java -classpath HelloWorld.jar HelloWorld 2 | -------------------------------------------------------------------------------- /testing/tests/decompile-test/test1/HelloWorld.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/testing/tests/decompile-test/test1/HelloWorld.jar -------------------------------------------------------------------------------- /testing/tests/decompile-test/test2/HelloWorld.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/testing/tests/decompile-test/test2/HelloWorld.war -------------------------------------------------------------------------------- /testing/tests/decompile-test/test3/HelloWorld.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/floyd-fuh/crass/031c8dea008d22b95dd6f61a72fce177abd5a5fb/testing/tests/decompile-test/test3/HelloWorld.class -------------------------------------------------------------------------------- /testing/tests/diff-test/new/abc.txt: -------------------------------------------------------------------------------- 1 | aaaaaaaaabbb 2 | bbbbcccc 3 | dddd -------------------------------------------------------------------------------- /testing/tests/diff-test/new/def.txt: -------------------------------------------------------------------------------- 1 | same same, but different -------------------------------------------------------------------------------- /testing/tests/diff-test/new/new.txt: -------------------------------------------------------------------------------- 1 | new -------------------------------------------------------------------------------- /testing/tests/diff-test/old/abc.txt: -------------------------------------------------------------------------------- 1 | aaaaaaaaabbb 2 | bbbbcccc 3 | dddd -------------------------------------------------------------------------------- /testing/tests/diff-test/old/def.txt: -------------------------------------------------------------------------------- 1 | same same, but different!!!!!! -------------------------------------------------------------------------------- /testing/tests/diff-test/old/old.txt: -------------------------------------------------------------------------------- 1 | old -------------------------------------------------------------------------------- /testing/tests/grep-test/file.txt: -------------------------------------------------------------------------------- 1 | #Not really a comprehensive list of tests for all greps, but for a couple of them at least 2 | #Java: 3 | String bla = "This is a Java String"; 4 | import javax.crypto.bla; 5 | import org.bouncycastle.bla; 6 | new SecretKeySpec( 7 | .generateKey() 8 | KeyGenerator.getInstance( 9 | messagedigest 10 | KeyPairGenerator( 11 | toString( ) == 12 | == toString() 13 | " == 14 | == " 15 | .equals( 16 | .equalsIgnoreCase( 17 | executeBlaBla( 18 | addBatch( 19 | prepareStatement( 20 | .setHeader( 21 | .addCookie( 22 | .sendRedirect( 23 | .addHeader( 24 | .getHeaders( 25 | .getCookies( 26 | .getRemoteHost( 27 | .getContentType( 28 | .getLocalName( 29 | .getParameterBLABLA( 30 | String.format(variable) 31 | String.format(\"bla-%s\"+taintedInput, variable); 32 | ProcessBuilder 33 | setMaxInactiveInterval() 34 | @Entity 35 | @ManyToOne 36 | @OneToMany 37 | @OneToOne 38 | @Table 39 | @Column 40 | java.net. 41 | java.io. 42 | javax.servlet 43 | org.apache.http 44 | string password 45 | string secret 46 | string key 47 | string cvv 48 | string user 49 | string passcode 50 | string passphrase 51 | string user 52 | string pin 53 | string credit 54 | SSLSocketFactory 55 | \u0041\u0042 56 | #JSP: 57 | .sendRedirect( 58 | .forward( 59 | :forward 60 | escape = ' false 61 | escape = " false 62 | escapeXml = ' false 63 | escapeXml = " false 64 | <%= ABCZ_abc_123_XYZ_xyz_456.getABCZ_abc_123_XYZ_xyz_456(LALALALALALALALALALA) %> 65 | .getParameter( 66 | out.print(" can not be a string format vuln 134 | 135 | 136 | False positive: MappingCode --> pin.code false positive 137 | False positive: HashIterator --> shit false positive 138 | 139 | 140 | 141 | .exec( 142 | 143 | .printStackTrace( 144 | 145 | NSFileProtection 146 | NSFileManager 147 | NSPersistantStoreCoordinator 148 | malloc( 149 | realloc( 150 | kSecAttrAccessible 151 | SecItemAdd 152 | KeychainItemWrapper 153 | Security.h 154 | NSLog( 155 | initWithFormat: 156 | informativeTextWithFormat: 157 | format: 158 | stringWithFormat: 159 | appendFormat: 160 | predicateWithFormat: 161 | NSRunAlertPanel 162 | handleOpenURL: 163 | openURL: 164 | adsfasdf@adsfasdf.com 165 | hack 166 | crack 167 | exploit 168 | bypass 169 | backdoor 170 | backd00r 171 | https://gasdgas.com 172 | http://abc.do 173 | memcpy( 174 | strcat( 175 | strcpy( 176 | strncat( 177 | strncpy( 178 | sprintf( 179 | gets( 180 | defaultApassword 181 | hashAconstant 182 | passAphrase 183 | salt 184 | encryptionkey 185 | encryptAkey 186 | BEGIN CERTIFICATE--- 187 | PRIVATE KEY--- 188 | rootAdetection 189 | rootedDevice 190 | SELECT adfasdfsd FROM 191 | sqlite 192 | stoopid 193 | fuck 194 | shit 195 | crap 196 | `between backticks` 197 | -------------------------------------------------------------------------------- /visualize-it.sh: -------------------------------------------------------------------------------- 1 | #show data in graphical form, for example where entropy is high... --------------------------------------------------------------------------------