#!/usr/bin/perl # By Xianur0 # xianur0.null[at]gmail.com $imagen = $ARGV[0] || die("Uso: $1 imagen.dd\n"); open BIN,$imagen; my %uris = (); my %disks = (); my %bookmarks = (); my %cookies = (); my %emails = (); my %volumenes = (); my %mysqls = (); my %proxys = (); my $bookmark = ""; my $nbookmark = ""; my @lineas = (); my $lineabin = ""; my $minpass = 5; my $maxpass = 20; my $todo = ""; my $grabar = 0; sub ascii2char($) { (my $str = shift) =~ s/@([0-9]{2})@/chr($1)/eg; return $str; } sub hex2ascii($) { (my $str = shift) =~ s/([a-fA-F0-9]{2})/chr(hex $1)/eg; return $str; } open PASSWORD,">resultados/passwords.txt"; open MYSQL,">resultados/mysql.txt"; open URI,">resultados/uri.txt"; open COOKIE,">resultados/cookies.txt"; open BOOKMARKS,">resultados/bookmarks.txt"; open VOLUMEN,">resultados/volumenes.txt"; open DISK,">resultados/disks.txt"; open EMAIL,">resultados/emails.txt"; open PROXY,">resultados/proxys.txt"; open ENCRYPTED,">resultados/encrypted.txt"; open BRUTE,">resultados/bruteforce.txt"; open STRINGS,">resultados/strings.txt"; print "Extrayendo datos...\n"; while($lineabin =) { @lineas = ($lineabin =~ m/([\w\d&\*<>=\-\_\[\]\s"'\/\\\%;\:\.\t\,\#\)\(\@\?\0`]+)/g); BUCLE: foreach $linea (@lineas) { $linea =~ s/\0//g; next BUCLE if(length($linea) < 4); print STRINGS $linea."\n"; if(length($linea) >= $minpass && length($linea) <= $maxpass && $linea !~ /^(\s|\t)+$/) { print BRUTE $linea."\n"; } if($nbookmark ne "") { if($linea =~ /(<|>)/) { $bookmark .= $linea; } else { $bookmarks{$nbookmark} = $bookmark; $nbookmark = ""; $bookmark = ""; } } if($linea =~ /((https?|file|ftp|smb):\/\/.+)/) { my $uri = $1; $uri =~ s/\s+.+//g; print URI $uri."\n" if($uris{$uri} < 1 || $uris{$uri} eq ""); $uris{$uri}++; } if($linea =~ /(\/dev\/disk\/by-id\/(.+))/) { my $disk = $1; print DISK $disk."\n" if($disks{$disk} < 1 || $disks{$disk} eq ""); $disks{$disk}++; } if($linea =~ /<\/?bookmark(\shref=[^>]+)?>/) { if($nbookmark ne "") { print BOOKMARKS $bookmark."\n" if($bookmarks{$nbookmark} < 1 || $bookmarks{$nbookmark} eq ""); $bookmarks{$nbookmark}++; $nbookmark = ""; $bookmark = ""; } elsif($linea =~ / = $minpass && length($pass) <= $maxpass); } if($linea =~ /Cookie:\s(.+)/) { my $cookie = $1; print COOKIE $cookie."\n" if($cookies{$cookie} < 1 || $cookies{$cookie} eq ""); $cookies{$cookie}++; } elsif($linea =~ /(PHPSESSID=[\w\d]+)/) { my $cookie = $1; print COOKIE $cookie."\n" if($cookies{$cookie} < 1 || $cookies{$cookie} eq ""); $cookies{$cookie}++; } if($linea =~ /([\w\d\-_\.]+@[\w\d\-_\.]+\.\w+)/) { my $email = $1; print EMAIL $email."\n" if($emails{$email} < 1 || $emails{$email} eq ""); $emails{$email}++; } if($linea =~ /mysql (.+)/) { my $lineamysql = $1; my ($usuario) = ($lineamysql =~ /-u(\s*[^\s]+)/); my ($password) = ($lineamysql =~ /-p(\s*[^\s]+)/); if($usuario ne "") { print MYSQL $lineamysql."\n" if($mysqls{$usuario.":".$password} < 1 || $mysqls{$usuario.":".$password} eq ""); $mysqls{$usuario.":".$password}++; } } if($linea =~ /export (.+?)_proxy="([^"]+)"/) { my $proxyhttp = $1; print PROXY $proxyhttp."\n" if($proxys{$proxyhttp} < 1 || $proxys{$proxyhttp} eq ""); $proxys{$proxyhttp}++; } if($linea =~ /ECRYPTFS_FNEK_ENCRYPTED\.(.+)/) { my $enckey = $1; print ENCRYPTED $enckey."\n" if($cifrados{$enckey} < 1 || $cifrados{$enckey} eq ""); $cifrados{$enckey}++; # print "eCryptfs Filname Encryption Key Encrypted: ".$enckey."\n\n"; } } } close(MYSQL); close(URI); close(COOKIE); close(BOOKMARKS); close(VOLUMEN); close(DISK); close(EMAIL); close(PROXY); close(ENCRYPTED); close(STRINGS); close(PASSWORD); print "Datos extraídos exitosamente!\n";
Introducción a la informática forense con Perl
d
Autor: @Xianur0
Para saber mas sobre el script click Aquí
Correo: xianur0.null[at]gmail.com
Descripción: Script en Perl que permite realizar un análisis forense a partir de una imagen dd
Suscribirse a:
Enviar comentarios (Atom)
0 comentarios:
Publicar un comentario