179 shaares
LIST
ffmpeg -codecs # list all codecs
ffmpeg -encoders # list all encoders
ffmpeg -decoders # lis tall decoders
ffmpeg -formats # list all formatsTRIM
ffmpeg -accurate_seek -ss $SECONDS -i $FILE -frames:v 1 -quality 100 image.png # Extract frame to image
ffmpeg -i "${file}" -ss 00:00:30 -t 00:00:05 -codec copy ${fileout} # Extract a part a video from -ss for a duration -t
ffmpeg -i "${file}" -ss 00:00:00 -to 00:56:33 -c copy "${fileout}" # trim outside of -ss & -to
ffmpeg -f concat -safe 0 -i <(echo -e "file \"${file1}\"\nfile \"${file2}\"") -c copy ${fileout}
ffmpeg -i "concat:${file1}|${file2}" -codec copy "${fileout}" # join filesAUDIO & VIDEO
ffmpeg -i "${file}" -c:v libx265 -codec:a libopus -b:a 64k -vbr on -compression_level 10 "${path}/${file%.*}.mp4"batch to encode audio & video
path="/ext/shared/Videos/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"${file}\" -c:v libx265 -codec:a libopus -b:a 64k -vbr on -compression_level 10 \"${file%.*}-resized.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.*") && chmod +x "${path2}" && echo "Launch: ${path2}"batch to encode audio video with crop & scale
crop="W:H:X:Y"
scale="800x720"
scale="800:-1"
path="/home/nikita/Downloads/.tmp/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"${file}\" -filter:v crop=${crop},scale=${scale} -c:v libx265 -codec:a libopus -b:a 64k -vbr on -compression_level 10 \"${file%.*}-resized.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.webm") && chmod +x "${path2}" && echo "Launch: ${path2}"AUDIO
# replace audio in video
ffmpeg -i "$file" -i "${file%.mp4}.opus" -c:v copy -c:a copy -map 0:v:0 -map 1:a:0 "${file%.mp4}-audio.mp4"
# batch to replace audio
path="/home/nikita/Downloads/.tmp/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"${file}\" -i \"${file%.mp4}.opus\" -c:v copy -c:a copy -map 0:v:0 -map 1:a:0 \"${file%.mp4}-audio.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mp4") && chmod +x "${path2}" && echo "Launch: ${path2}"
# compress audio
ffmpeg -i "$file" -codec:a libopus -b:a 64k -vbr on -compression_level 10 "${file%.*}.opus"
# batch to compress audio
path="/home/nikita/Downloads/.tmp/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do echo "ffmpeg -i \"$file\" -c:v copy -codec:a libopus -b:a 64k -vbr on -compression_level 10 \"${file%.mp4}-audio.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mp4") && chmod +x "${path2}" && echo "Launch: ${path2}"ENCODE
ffmpeg -i "$file" -vn -acodec copy $file_out # extract audio
ffmpeg -i "$file" -filter:v scale=720:-1 -c:a copy "$file_out" # resize video, -1 asks to ffmpeg to keep proportion
ffmpeg -i "$file" -filter:v crop=w:h:x:y -c:a copy "$file_out" # crop to w-width:h-height:x-left:y-top, passthru audio
ffmpeg -i "$file" -filter:v crop=w:h:x:y -c:v libx265 -c:a copy "$file_out" # crop & encode encode with h265, passthru audio
ffmpeg -i "$file" -filter:v "crop=w:h:x:y,scale=w_max:h_max530" -c:v libx265 -c:a copy "$file_out" # crop > scale to max w_max/h_max (-1 keeps proportion), encode h265, passthru audioOTHERS
ffmpeg -i $file -hide_banner # info
ffmpeg -accurate_seek -ss $SECONDS -i $FILE -frames:v 1 image.bmp # Extract frame to imageFFPROBE
gt info from file
ffprobe -i $fileexamples
create batch & launch it to crope, scale & encode files from file list
crop="W:H:X:Y"
scale="800x720"
scale="800:-1"
path="/home/nikita/_new/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do name="${file##*/}"; path="${file%/*}"; echo "ffmpeg -i \"${file}\" -filter:v "crop=${crop},scale=${scale}" -c:v libx265 -c:a copy \"${path}/${name%.*}-resized.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mp4") && chmod +x "${path2}" && echo "Launch: ${path2}"create batch & launch it to only encode files searching
path="/home/nikita/_new/ffmpeg" && path2="/tmp/ffmpeg-batch-$(date +%s)" && while read file; do name="${file##*/}"; path="${file%/*}"; echo "ffmpeg -i \"${file}\" -c:v libx265 -c:a copy \"${path}/${name%.*}.mp4\"" >> "${path2}"; done < <(find "${path}" -name "*.mkv") && chmod +x "${path2}" && echo "Launch: ${path2}"AUDACITY
Export /Export Audio/(external program)
ffmpeg -i - -codec:a libopus -b:a 64k -vbr on -compression_level 10 "%f" # whithout space in path filestart
log mimikatz.loglsadump
cd {$path_hive}
log c:\lsadump.log
lsadump::sam /system:SYSTEM /sam:SAM
exithivexsh
hivexsh [-options] [hivefile]
Provides a simple shell for navigating Windows Registry 'hive' files
options
-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry hive file in your bug report.
-f filename # Read commands from "filename" instead of stdin. To write a hivexsh script, use: #!/usr/bin/hivexsh -f
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.
-w # If this option is given, then writes are allowed to the hive (see "commit" command below, and the discussion of modifying hives in "WRITING TO HIVE FILES" in hivex(3)). Important Note: Even if you specify this option, nothing is written to a hive unless you call the "commit" command. If you exit the shell without committing, all changes will be discarded. If this option is not given, then write commands are disabled.commands
add name # Add a subkey named "name" below the current node. The name may contain spaces and punctuation characters, and does not need to be quoted.
cd path # Change to the subkey "path". Use Windows-style backslashes to separate path elements, and start with a backslash in order to start from the root of the hive. For example:
close | unload # Close the currently loaded hive. If you modified the hive, all uncommitted writes are lost when you call this command (or if the shell exits). You have to call "commit" to write changes.
commit [newfile] # Commit changes to the hive. If the optional "newfile" parameter is supplied, then the hive is written to that file, else the original file is overwritten.
del # Delete the current node and everything beneath it. The current directory is moved up one level (as if you did "cd ..") after this command.
exit | quit # Exit the shell.
load hivefile # Load the binary hive named "hivefile". The currently loaded hive, if any, is closed. The current directory is changed back to the root node.
ls # List the subkeys of the current hive Registry key. Note this command does not take any arguments.
lsval [key] # List the (key, value) pairs of the current hive Registry key. If no argument is given then all pairs are displayed. If "key" is given, then the value of the named key is displayed. If "@" is given, then the value of the default key is displayed.
setval nrvals # This command replaces all (key, value) pairs at the current node with the values in subsequent input. "nrvals" is the number of values (ie. (key, value) pairs), and any existing values at this node are deleted. So "setval 0" just deletes any values at the current node.hivexget
hivexget hivefile PATH [NAME]
Get subkey from a Windows Registry binary "hive" file
example
hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" Vhivexml
hivexml [-dk] HIVE > FILE
Convert Windows Registry binary "hive" into XML
options
-d # Enable lots of debug messages. If you find a Registry file that this program cannot parse, please enable this option and post the complete output and the Registry file in your bug report.
-k # Keep going even if we find errors in the Registry file. This skips over any parts of the Registry that we cannot read.
-u # Use heuristics to tolerate certain levels of corruption within hives. This is unsafe but may allow to export/merge valid keys/values in an othewise corrupted hive.Install
sudo apt install -y libhivex-binhttps://helpmanual.io/man8/chntpw/
chntpw
chntpw [options] <samfile> [systemfile] [securityfile] [otherreghive] [...]
Utility to overwrite passwords of Windows systems
usage
chntpw -i $hiveoptions
-u username # Username or username ID (RID) to change. The default is 'Administrator'.
-l # List all users in the SAM database and exit.
-i # Interactive Menu system: list all users (as per -l option) and then ask for the user to change.
-e # Registry editor with limited capabilities (but it does include write support). For a slightly more powerful editor see reged
-d # Use buffer debugger instead (hex editor)
-L # Log all changed filenames to /tmp/changed. When this option is set the program automatically saves the changes in the hive files without rompting the user. Be careful when using the -L option as a root user in a multiuser system. The filename is fixed and this can be used by alicious users (dropping a symlink with the same name) to overwrite system files.
-N # Do not allocate more information, only allow the editing of existing values with same size.
-E # Do not expand the hive file (safe mode). commands
hive [<n>] # list loaded hives or switch to hive numer n
cd <key> # change current key
ls | dir [<key>] # show subkeys & values,
cat | type <value> # show key value
dpi <value> # show decoded DigitalProductId value
hex <value> # hexdump of value data
ck [<keyname>] # Show keys class data, if it has any
nk <keyname> # add key
dk <keyname> # delete key (must be empty)
ed <value> # Edit value
nv <type#> <valuename> # Add value
dv <valuename> # Delete value
delallv # Delete all values in current key
rdel <keyname> # Recursively delete key & subkeys
ek <filename> <prefix> <keyname> # export key to <filename> (Windows .reg file format)
debug # enter buffer hexeditor
st [<hexaddr>] # debug function: show struct info
q # quitreged
reged [options] -x<registryhivefile><prefixstring><key><output.reg>
reged [options] -I<registryhivefile><prefixstring><input.reg>
reged [options] -e<registryhivefile>
Utility to export/import and edit a Windows registry hives
usage
reged -x SYSTEM 'HKEY_LOCAL_MACHINE\SYSTEM' 'ControlSet001\Control\Lsa\Skew1' test.regmodes
-x <registryhivefile> <prefixstring> <key> <output.reg> # Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE <key> is key o dump (recursively), \ or \\ means all keys in hive. Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg> # Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE. Only one .reg and one hive file supported at the same time
-e <registryhive> ... # Interactive edit one or more of registry filesoptions
-L # Log changed filenames to /tmp/changed, also auto-saves
-C # Auto-save (commit) changed hives without asking
-N # No allocate mode, only allow edit of existing values with same size
-E # No expand mode, do not expand hive file (safe mode)
-t # Debug trace of allocated blocks
-v # Some more verbose messagessampasswd
sampasswd [options] -uuser <samfile>
Reset passwords of users in the SAM user database
options
-r # Reset the user's password.
-a # Reset all the users. If this option is used there is no need to specify the next option.
-u <user> # User to change. The user value can be provided as a username, or a RID number in hexadecimal (if the username is preceded with '0x').
-l # Lists the users in the SAM database.
-H # Output human readable output. The program by default will print a parsable table unless this option is used.
-N # Do not allocate more information, only allow the editing of existing values with same size.
-E # Do not expand the hive file (safe mode).
-t # Print debug information of allocated blocks.
-v # Print verbose information and debug messages. ```Install
sudo apt install -y chntpwxubuntu 20.04 - focal
virt-manager
host
<filesystem type="mount" accessmode="mapped" fmode="0660" dmode="0770">
<source dir="/vms/share"/>
<target dir="/hostshare"/>
<address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
</filesystem>#sudo usermod -G libvirtd -a $USER
sudo usermod -G libvirt-qemu -a $USER
hostpath=/vms/share
sudo chown -R libvirt-qemu:libvirt-qemu $hostpath
sudo setfacl -Rm g:libvirt-qemu:rwx $hostpath
sudo setfacl -d -Rm g:libvirt-qemu:rwx $hostpathguest
sudo sh -c 'echo "9p
9pnet
9pnet_virtio" >> /etc/initramfs-tools/modules'
sudo update-initramfs -u
sudo sh -c 'echo "# qemu share
hostshare /share 9p trans=virtio,version=9p2000.L,rw,umask=002 0 0" >> /etc/fstab'global
install
update
sudo apt remove -y gimp* libreoffice-* thunderbird* transmission-gtk
sudo apt update
sudo apt list --upgradable
sudo apt -y dist-upgrade
sudo apt -y autoremovesystem
sudo apt install -y binutils-common bsdmainutils curl debconf-utils exfat git gnupg2 gparted hfsprogs htop kpartx lnav most net-tools p7zip-full p7zip-rar pv rar sysstat testdisk tmux tree unrar vim xsysinfo # openssh-server
sudo apt install -y dconf-editor firefox-locale-fr galculator gpicview meld plank qt5ct qt5-gtk2-platformtheme thunar-media-tags-plugin tumbler-plugins-extraconf
qt5-ct to fusionglobal
sudo swapoff -av && sudo sh -c 'echo vm.swappiness=10 > /etc/sysctl.d/99-swappiness.conf' # limit swap
sudo rm /etc/localtime && sudo ln -sv /usr/share/zoneinfo/Etc/UTC /etc/localtime
software-properties-gtk # add canonical partners
export QT_QPA_PLATFORMTHEME=gtk2
echo "\n# QT\nexport QT_QPA_PLATFORMTHEME=gtk2" >> ~/.profile
echo -e "\n#JAVA\nexport _JAVA_OPTIONS=\"-Dawt.useSystemAAFontSettings=on -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel \${_JAVA_OPTIONS}\"" >> ~/.profile
menulibre # edit menu
path=~/.config/autostart
[ -d ${path} ] || mkdir ${path}
echo '[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=plank
Comment=plank
Exec=plank
OnlyShowIn=XFCE;
RunHook=0
StartupNotify=false
Terminal=false
Hidden=false' > ${path}/plank.desktop
plank --preferences &trans
# HOST
path=/vms/share/trans; [ -d ${path} ] || mkdir -p ${path}
cp -r ~/dev/ /vms/share/trans/
# GUEST
path=~/.local/share/icons; [ -d ${path} ] || mkdir -p ${path}
path=~/.local/share/applications; [ -d ${path} ] || mkdir -p ${path}
path=/share/trans/dev
path_conf=${path}/install-desktop/conf
cp ${path_conf}/foralyse/.bashrc ~/
cp ${path_conf}/foralyse/.bash_alias ~/
sudo cp ${path_conf}/foralyse/.bashrc /root/
sudo cp ${path_conf}/foralyse/.bash_alias /root/
cp ${path}/install/conf/foralyse/.vimrc ~/
sudo cp ${path}/install/conf/vim/* /usr/share/vim/vim*/colors/
sudo cp ${path_conf}/soft/meld-dark.xml /usr/share/meld/styles/
sudo cp ${path_conf}/wp/* /usr/share/xfce4/backdrops/
sudo cp ${path_conf}/bash-completion/* /usr/share/bash-completion/completions/
sudo cp ${path_conf}/icons/tmux.svg /usr/share/icons/default/
sudo cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/foralyse/xfce4-terminal-tmux.desktop ~/.local/share/applications/
cp ${path_conf}/icons/* ~/.local/share/icons
sudo ln -sv /usr/share/bash-completion/completions/tmux.git /usr/share/bash-completion/completions/tmux
sudo chmod +r /usr/share/icons/default/tmux.svg
sudo chmod +r /usr/share/bash-completion/completions/tmux*
sudo chmod +r /usr/share/xfce4/backdrops/*sublime text
file="/etc/hosts"
sudo sh -c "echo '\n# sublime-text hack\n127.0.0.1\tsublimetext.com\n127.0.0.1\twww.sublimetext.com\n127.0.0.1\tlicense.sublimehq.com' >> ${file}"
ips="45.55.255.55"
for ip in ${ips}; do sudo iptables -A OUTPUT -d ${ip} -j DROP; done
path=/etc/iptables
[ -d "${path}" ] || sudo mkdir "${path}"
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
cat ${S_PATH_INSTALL_CONF}/soft/sublime-text.licenseforensic
global
# network
sudo apt install -y whois
# pwd & evtx & process
sudo apt install -y john libscca-utils pev radare2
# hive
sudo apt install -y libhivex-bin chntpw reglookup
# gui
sudo apt install -y bless geany ghex gpicview gtkhash wxhexeditorconf
bless
cp /usr/share/bless/*.layout ~/.config/bless/layouts/kali
#sudo sh -c "echo '# kali\ndeb http://http.kali.org/kali kali-rolling main non-free contrib' > /etc/apt/sources.list.d/kali.list
#wget -q -O - archive.kali.org/archive-key.asc | sudo apt-key add -
#sudo apt update
#sed -i '/^deb/ s|^|#|' /etc/apt/sources.list.d/kali.list
#sudo apt updatepython
sudo apt-get install -y python3 python3-pip
. ~/.profile
sudo apt-get install -y python2 # python2-dev
cd /tmp && curl -sSL https://bootstrap.pypa.io/pip/2.7/get-pip.py -o get-pip.py
python2 get-pip.pypip2
python2 -m pip install -U balbuzardpip3
python3 -m pip install -U malcarve regrippybinwalk
dependencies
sudo apt install mtd-utils gzip bzip2 tar arj lhasa p7zip p7zip-full cabextract cramfsswap squashfs-tools lzop srecord
python3 -m pip install -U nose coverage pycryptodome pyqtgraph capstone matplotlib
. ~/.profilegithub
# Install sasquatch to extract non-standard SquashFS images
sudo apt install -y zlib1g-dev liblzma-dev liblzo2-dev
cd /tmp && git clone https://github.com/devttys0/sasquatch
cd sasquatch && ./build.sh
# Install jefferson to extract JFFS2 file systems
python3 -m pip install -U cstruct
cd /tmp && git clone https://github.com/sviehb/jefferson
cd jefferson && sudo python3 setup.py install
# Install ubi_reader to extract UBIFS file systems
sudo apt install -y liblzo2-dev
python3 -m pip install -U python-lzo
cd /tmp && git clone https://github.com/jrspruitt/ubi_reader
cd ubi_reader && sudo python3 setup.py install
# Install yaffshiv to extract YAFFS file systems
cd /tmp && git clone https://github.com/devttys0/yaffshiv
cd yaffshiv && sudo python3 setup.py install
# Install unstuff (closed source) to extract StuffIt archive files
cd /tmp && curl -sS http://downloads.tuxfamily.org/sdtraces/stuffit520.611linux-i386.tar.gz | tar -zxv
sudo cp bin/unstuff /usr/local/bin/pandoc
# sudo apt install pandoc texlive-latex-base texlive-latex-recommended texlive-latex-extra
# pandoc -s -o $fileout $fileinbinwalk
cd /tmp && git clone https://github.com/ReFirmLabs/binwalk
cd binwalk && sudo python3 setup.py installregripper
sudo apt-get install -y libparse-win32registry-perl
path=$(find /usr/share -name Win32Registry)
cd /usr/share && sudo git clone https://github.com/keydet89/RegRipper3.0.git
sudo mv RegRipper3.0 regripper
for file in WinNT/File.pm WinNT/Key.pm Base.pm; do sudo mv ${path}/${file} ${path}/${file}.$(date +%s); sudo ln -sv /usr/share/regripper/${file##*/} ${path}/${file}; done
cd regripper
sudo cp -a rip.pl rip.pl.$(date +%s)
sudo sed -i '/^my @alerts = ();/a my \$plugindir = "/usr/share/regripper/plugins/";' rip.pl
sudo sed -i "1c #! $(which perl)\nuse lib qw(/usr/lib/perl5/);" rip.pl
sudo chmod +x rip.pl
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/regripper
sudo ln -sv /usr/share/regripper/rip.pl /usr/bin/ripvolatility
volatility3
python3 -m pip install -U pefile yara-python capstone pycryptodome jsonschema leechcorepyc python-snappy
python3 -m pip install -U volatility3
cd ~/.local/bin && ln -sv vol vol3volatility2
https://github.com/volatilityfoundation/volatility/wiki/Installation
sudo apt -y install pcregrep libpcre++-dev python-dev
python2 -m pip install distorm3 ipython openpyxl pycrypto pytz ujson yara-pythonlibforensic1394
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
sudo ln -sv /usr/local/lib/libforensic1394.so.0.3.0 /usr/lib/libforensic1394.so.2
cd
sudo rm -fR /tmp/libforensic1394
sudo apt remove cmake
sudo apt autoremovevolatility
cd /opt
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo ln -sv vol.py vol2
vol2 -hwireshark
sudo add-apt-repository -y ppa:wireshark-dev/stable
sudo apt update
sudo apt install -y tshark wiresharkautopsy
global
path_share=/share
sudo apt-get update
sudo apt install -y afflib-tools testdisk ewf-tools xmount fdupes java-common
sudo apt-get install -y imagemagick libde265-0 libheif1java
java_file=$(ls ${path_share}/jdk-8*linux-x64.tar.gz)
file=/usr/local/bin/oracle-java-installer.sh
sudo curl -sS https://raw.githubusercontent.com/labcif/oracle-java-installer/master/oracle-java-installer.sh -o ${file}
#sudo sed -i s'/update-java-alternatives -a/update-alternatives --auto java/' /usr/local/bin/oracle-java-installer.sh
#sudo sed -i s'/update-java-alternatives -l/update-alternatives --list java/' /usr/local/bin/oracle-java-installer.sh
sudo sed -i 's|tar -xvzf|tar -xzf|' /usr/local/bin/oracle-java-installer.sh
sudo chmod +x ${file}
sudo ${file} --install ${java_file}
. /etc/profile.d/jdk.sh
${file} --status ${java_file}base64sha
file=/usr/local/bin/b64sha
sudo curl -sS https://raw.githubusercontent.com/labcif/Base64SHA/master/b64sha -o ${file}
sudo chmod +x ${file}sleuthkit
sleuthkit_file=$(ls ${path_share}/sleuthkit-java_*_amd64.deb)
read sleuthkit_version_major sleuthkit_version_minor <<<$(echo ${sleuthkit_file}|sed 's|^.*/sleuthkit-java_\([0-9_\.]\+\)-\([0-9]\)_amd64.deb|\1 \2|')
sudo apt install ${sleuthkit_file}autopsy
file=$(ls ${path_share}/autopsy-*.zip)
path=${file%.zip} && path=/opt/${path##*/}
sudo unzip -q -d /opt/ ${file}
sudo chown -R ${USER}:${USER} ${path}
cd /opt && sudo ln -sv ${path##*/} autopsy
cd ${path}
sh unix_setup.sh
ln -sv ${path}/bin/autopsy ~/.local/bin/autopsy
autopsy --nosplashlauncher
echo "[Desktop Entry]
Version=1.0
Type=Application
Terminal=false
Icon=/opt/autopsy/icon.ico
Name=Autopsy
Exec=autopsy" > ~/.local/share/applications/autopsy.desktopaddons
ReportModules / ForensicExpertWitnessReport
https://github.com/chriswipat/forensic_expert_witness_report_module
IngestModules / FileHistory
https://medium.com/@markmckinnon_80619/windows-file-history-plugin-a6208da4efa5
IngestModules / Volatility
https://markmckinnon-80619.medium.com/volatility-autopsy-plugin-module-8beecea6396
install
python3 -m pip install -U pip
python3 -m pip install -U volatility3
cd /usr/local/bin && sudo ln -sv vol vol3; cdhelp
volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]
[-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]
[--stackers [STACKERS [STACKERS ...]]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]]]
plugin ...An open-source memory forensics framework
-c CONFIG, --config CONFIG # Load the configuration from a json file
--parallelism [{processes,threads,off}] # Enables parallelism (defaults to off if no argument given)
-e EXTEND, --extend EXTEND # Extend the configuration with a new (or changed) setting
-p PLUGIN_DIRS, --plugin-dirs PLUGIN_DIRS # Semi-colon separated list of paths to find plugins
-s SYMBOL_DIRS, --symbol-dirs SYMBOL_DIRS # Semi-colon separated list of paths to find symbols
-v, --verbosity # Increase output verbosity
-l LOG, --log LOG # Log output to a file as well as the console
-o OUTPUT_DIR, --output-dir OUTPUT_DIR # Directory in which to output any generated files
-q, --quiet # Remove progress feedback
-r RENDERER, --renderer RENDERER # Determines how to render the output (quick, csv, pretty, json, jsonl)
-f FILE, --file FILE # Shorthand for --single-location=file:// if single-location is not defined
--write-config # Write configuration JSON file out to config.json
--clear-cache # Clears out all short-term cached items
--cache-path CACHE_PATH # Change the default path (/home/tsurugi/.cache/volatility3) used to store the cache
--offline # Do not search online for additional JSON files
--single-location SINGLE_LOCATION # Specifies a base location on which to stack
--stackers [STACKERS [STACKERS ...]] # List of stackers
--single-swap-locations [SINGLE_SWAP_LOCATIONS [SINGLE_SWAP_LOCATIONS ...]] # Specifies a list of swap layer URIs for use with single-locationwindows
windows.bigpools.BigPools # List big page pools
windows.cachedump.Cachedump # Dumps lsa secrets from memory
windows.callbacks.Callbacks # Lists kernel callbacks and notification routines
windows.cmdline.CmdLine # Lists process command line arguments
windows.crashinfo.Crashinfo
windows.dlllist.DllList # Lists the loaded modules in a particular windows memory image
windows.driverirp.DriverIrp # List IRPs for drivers in a particular windows memory image
windows.driverscan.DriverScan # Scans for drivers present in a particular windows memory image
windows.dumpfiles.DumpFiles # Dumps cached file contents from Windows memory samples
windows.envars.Envars # Display process environment variables
windows.filescan.FileScan # Scans for file objects present in a particular windows memory image
windows.getservicesids.GetServiceSIDs # Lists process token sids
windows.getsids.GetSIDs # Print the SIDs owning each process
windows.handles.Handles # Lists process open handles
windows.hashdump.Hashdump # Dumps user hashes from memory
windows.info.Info # Show OS & kernel details of the memory sample being analyzed
windows.lsadump.Lsadump # Dumps lsa secrets from memory
windows.malfind.Malfind # Lists process memory ranges that potentially contain injected code
windows.memmap.Memmap # Prints the memory map
windows.modscan.ModScan # Scans for modules present in a particular windows memory image.
windows.modules.Modules # Lists the loaded kernel modules
windows.mutantscan.MutantScan # Scans for mutexes present in a particular windows memory image
windows.netscan.NetScan # Scans for network objects present in a particular windows memory image
windows.netstat.NetStat # Traverses network tracking structures present in a particular windows memory image.
windows.poolscanner.PoolScanner # A generic pool scanner plugin
windows.privileges.Privs # Lists process token privileges
windows.pslist.PsList # Lists the processes present in a particular windows memory image
windows.psscan.PsScan # Scans for processes present in a particular windows memory image
windows.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
windows.registry.certificates.Certificates # Lists the certificates in the registry's Certificate Store
windows.registry.hivelist.HiveList # Lists the registry hives present in a particular memory image
windows.registry.hivescan.HiveScan # Scans for registry hives present in a particular windows memory image.
windows.registry.printkey.PrintKey # Lists the registry keys under a hive or specific key value
windows.registry.userassist.UserAssist # Print userassist registry keys and information
windows.skeleton_key_check.Skeleton_Key_Check # Looks for signs of Skeleton Key malware
windows.ssdt.SSDT # Lists the system call table
windows.statistics.Statistics
windows.strings.Strings # Reads output from the strings command and indicates which process(es) each string belongs to
windows.svcscan.SvcScan # Scans for windows services
windows.symlinkscan.SymlinkScan # Scans for links present in a particular windows memory image
windows.vadinfo.VadInfo # Lists process memory ranges
windows.vadyarascan.VadYaraScan # Scans all the Virtual Address Descriptor memory maps using yara
windows.verinfo.VerInfo # Lists version information from PE files
windows.virtmap.VirtMap # Lists virtual mapped sectionslinux
linux.bash.Bash # Recovers bash command history from memory
linux.check_afinfo.Check_afinfo # Verifies the operation function pointers of network protocols
linux.check_creds.Check_creds # Checks if any processes are sharing credential structures
linux.check_idt.Check_idt # Checks if the IDT has been altered
linux.check_modules.Check_modules # Compares module list to sysfs info, if available
linux.check_syscall.Check_syscall # Check system call table for hooks
linux.elfs.Elfs # Lists all memory mapped ELF files for all processes
linux.keyboard_notifiers.Keyboard_notifiers # Parses the keyboard notifier call chain
linux.kmsg.Kmsg # Kernel log buffer reader
linux.lsmod.Lsmod # Lists loaded kernel modules
linux.lsof.Lsof # Lists all memory maps for all processes
linux.malfind.Malfind # Lists process memory ranges that potentially contain injected code
linux.proc.Maps # Lists all memory maps for all processes
linux.pslist.PsList # Lists the processes present in a particular linux memory image
linux.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
linux.tty_check.tty_check # Checks tty devices for hooksmac
mac.bash.Bash # Recovers bash command history from memory
mac.check_syscall.Check_syscall # Check system call table for hooks
mac.check_sysctl.Check_sysctl # Check sysctl handlers for hooks
mac.check_trap_table.Check_trap_table # Check mach trap table for hooks
mac.ifconfig.Ifconfig # Lists loaded kernel modules
mac.kauth_listeners.Kauth_listeners # Lists kauth listeners and their status
mac.kauth_scopes.Kauth_scopes # Lists kauth scopes and their status
mac.kevents.Kevents # Lists event handlers registered by processes
mac.list_files.List_Files # Lists all open file descriptors for all processes
mac.lsmod.Lsmod # Lists loaded kernel modules
mac.lsof.Lsof # Lists all open file descriptors for all processes
mac.malfind.Malfind # Lists process memory ranges that potentially contain injected code
mac.mount.Mount # A module containing a collection of plugins that produce data typically foundin Mac's mount command
mac.netstat.Netstat # Lists all network connections for all processes
mac.proc_maps.Maps # Lists process memory ranges that potentially contain injected code
mac.psaux.Psaux # Recovers program command line arguments
mac.pslist.PsList # Lists the processes present in a particular mac memory image
mac.pstree.PsTree # Plugin for listing processes in a tree based on their parent process ID
mac.socket_filters.Socket_filters # Enumerates kernel socket filters
mac.timers.Timers # Check for malicious kernel timers
mac.trustedbsd.Trustedbsd # Checks for malicious trustedbsd modules
mac.vfsevents.VFSevents # Lists processes that are filtering file system eventsothers
banners.Banners # Attempts to identify potential linux banners in an image
configwriter.ConfigWriter # Runs the automagics and both prints and outputs configuration in the output directory
frameworkinfo.FrameworkInfo # Plugin to list the various modular components of Volatility
isfinfo.IsfInfo # Determines information about the currently available ISF files, or a specific one
layerwriter.LayerWriter # Runs the automagics and writes out the primary layer produced by the stacker
timeliner.Timeliner # Runs all relevant plugins that provide time related information and orders the results by time
yarascan.YaraScan # Scans kernel memory using yara rules (string or file)windows notifications
file=/vol6/Users/Angela/AppData/Local/Microsoft/Windows/Notifications/wpndatabase.db
sqlitebrowser ${file}SELECT datetime((ArrivalTime/10000000)-11644473600, 'unixepoch') AS ArrivalTime,
datetime((ExpiryTime/10000000)-11644473600, 'unixepoch') AS ExpiryTime,
Type, HandlerId, Notification.Id, Payload, Tag, 'Group', 'Order', PrimaryId, HandlerType, WNFEventName, CreatedTime as HandlerCreatedTime, ModifiedTime as HandlerModifiedTime
FROM Notification LEFT JOIN NotificationHandler ON Notification.HandlerId = NotificationHandler.RecordIdregripper [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile
Special
regripper -l -c|sort|column -t -s, # show plugins list in table sorted by plugins
regripper -l -c|sort -t, -k3 -k1|column -t -s, # show plugins list in table sorted by hive/plugins
regripper -p winver -r SOFTWARE # get version of wnidows
regripper -p timezone -r SYSTEM # get timezone information about SYSTEM hive
regripper -a -r SYSTEM # get full analyse for SYSTEM hiveUsefull
-a # Automatically run hive-specific plugins
-l # list all plugins
-f [profile] # use the profile
-p [plugin] # use the pluginAll
-r [hive] # Registry hive file to parse
-d # Check to see if the hive is dirty
-g # Guess the hive file type
-a # Automatically run hive-specific plugins
-aT # Automatically run hive-specific TLN plugins
-f [profile] # use the profile
-p [plugin] # use the plugin
-l # list all plugins
-c # Output plugin list in CSV format (use with -l)
-s systemname # system name (TLN support)
-u username # User name (TLN support)
-uP # Update default profilesPlugins
adobe 20200522 NTUSER.DAT Gets user's Adobe app cRecentFiles values
allowedenum 20200511 NTUSER.DAT Software Extracts AllowedEnumeration values to determine hidden special folders
amcache 20200515 amcache Parse AmCache.hve file
amcache_tln 20180311 amcache Parse AmCache.hve file
appassoc 20200515 NTUSER.DAT Gets contents of user's ApplicationAssociationToasts key
appcertdlls 20200427 System Get entries from AppCertDlls key
appcompatcache 20200428 System Parse files from System hive AppCompatCache
appcompatcache_tln 20190112 System Parse files from System hive AppCompatCache
appcompatflags 20200525 NTUSER.DAT Software Extracts AppCompatFlags for Windows.
appinitdlls 20200427 Software Gets contents of AppInit_DLLs value
appkeys 20200517 NTUSER.DAT Software Extracts AppKeys entries.
appkeys_tln 20180920 NTUSER.DAT Software Extracts AppKeys entries.
applets 20200525 NTUSER.DAT Gets contents of user's Applets key
applets_tln 20120613 NTUSER.DAT Gets contents of user's Applets key (TLN)
apppaths 20200511 NTUSER.DAT Software Gets content of App Paths subkeys
apppaths_tln 20130429 NTUSER.DAT Software Gets content of App Paths subkeys (TLN)
appspecific 20200515 NTUSER.DAT Gets contents of user's Intellipoint\AppSpecific subkeys
appx 20200427 NTUSER.DAT USRCLASS.DAT Checks for persistence via Universal Windows Platform Apps
appx_tln 20191014 NTUSER.DAT USRCLASS.DAT Checks for persistence via Universal Windows Platform Apps
arpcache 20200515 NTUSER.DAT Retrieves CurrentVersion\App Management\ARPCache entries
at 20200525 Software Checks Software hive for AT jobs
attachmgr 20200525 NTUSER.DAT Checks user's keys that manage the Attachment Manager functionality
attachmgr_tln 20130425 NTUSER.DAT Checks user's keys that manage the Attachment Manager functionality (TLN)
at_tln 20140821 Software Checks Software hive for AT jobs
audiodev 20200525 Software Gets audio capture/render devices
auditpol 20200515 Security Get audit policy from the Security hive file
backuprestore 20200517 System Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys
bam 20200427 System Parse files from System hive BAM Services
bam_tln 20180225 System Parse files from System hive BAM Services
base 20200427 All Parse base info from hive
baseline 20130211 All Scans a hive file, checking sizes of binary value data
btconfig 20200526 Software Determines BlueTooth devices 'seen' by BroadComm drivers
bthenum 20200515 System Get BTHENUM subkey info
bthport 20200517 System Gets Bluetooth-connected devices from System hive
bthport_tln 20180705 System Gets Bluetooth-connected devices from System hive; TLN output
cached 20200525 NTUSER.DAT Gets cached Shell Extensions from NTUSER.DAT hive
cached_tln 20150608 NTUSER.DAT Gets cached Shell Extensions from NTUSER.DAT hive (TLN)
calibrator 20200427 Software Checks DisplayCalibrator value (possible bypass assoc with LockBit ransomware)
clsid 20200526 Software USRCLASS.DAT Get list of CLSID/registered classes
clsid_tln 20200526 Software USRCLASS.DAT Get list of CLSID/registered classes
cmdproc 20200515 NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive
cmdproc_tln 20130425 NTUSER.DAT Autostart - get Command Processor\AutoRun value from NTUSER.DAT hive (TLN)
cmd_shell 20200515 Software Gets shell open cmds for various file types
codepage 20200519 system Checks codepage value
comdlg32 20200517 NTUSER.DAT Gets contents of user's ComDlg32 key
compdesc 20200511 NTUSER.DAT Gets contents of user's ComputerDescriptions key
compname 20090727 System Gets ComputerName and Hostname values from System hive
cred 20200427 system Checks for UseLogonCredential value
cred_tln 20200402 system Checks UseLogonCredential value
dafupnp 20200525 System Parses data from networked media streaming devices
dcom 20200525 Software Check DCOM Ports
ddo 20140414 NTUSER.DAT Gets user's DeviceDisplayObjects key contents
defender 20200427 Software Get Windows Defender settings
del 20200515 All Parse hive, print deleted keys/values
del_tln 20190506 All Parse hive, print deleted keys/values
devclass 20200525 System Get USB device info from the DeviceClasses keys in the System hive
direct 20200515 Software Searches Direct* keys for MostRecentApplication subkeys
direct_tln 20190911 Software Searches Direct* keys for MostRecentApplication subkeys (TLN)
disablelastaccess 20200517 System Get NTFSDisableLastAccessUpdate value
disablemru 20190924 NTUSER.DAT Software Checks settings disabling user's MRUs
disableremotescm 20200513 System Gets DisableRemoteScmEndpoints value from System hive
disablesr 20200515 Software Gets the value that turns System Restore either on or off
drivers32 20200525 Software Get values from the Drivers32 key
emdmgmt 20200511 Software Gets contents of EMDMgmt subkeys and values
environment 20200512 System NTUSER.DAT Get environment vars from NTUSER.DAT & System hives
execpolicy 20200517 Software Gets PowerShell Execution Policy
featureusage 20200511 NTUSER.DAT Extracts user's FeatureUsage data.
fileless 20200525 All Scans a hive file looking for fileless malware entries
findexes 20200525 All Scans a hive file looking for binary value data that contains MZ
gpohist 20200525 Software NTUSER.DAT Collects system/user GPO history
gpohist_tln 20150529 Software NTUSER.DAT Collects system/user GPO history (TLN)
heap 20200427 Software Checks HeapLeakDetection\DiagnosedApplications Subkeys
heidisql 20201227 NTUSER.DAT Gets user's heidisql data
ica_sessions 20200528 Software ARETE ONLY - Extracts Citrix ICA Session info
identities 20200525 NTUSER.DAT Extracts values from Identities key; NTUSER.DAT
imagedev 20140104 System --
imagefile 20200515 Software Checks ImageFileExecutionOptions subkeys values
injectdll64 20200427 NTUSER.DAT Software Retrieve values set to weaken Chrome security
inprocserver 20200427 Software Checks CLSID InProcServer32 values for indications of malware
installer 20200517 Software Determines product install information
ips 20200518 System Get IP Addresses and domains (DHCP, static)
jumplistdata 20200517 NTUSER.DAT Gets contents of user's JumpListData key
killsuit 20200427 Software Check for indications of Danderspritz Killsuit installation
killsuit_tln 20200414 Software Check for indications of Danderspritz Killsuit installation
knowndev 20200515 NTUSER.DAT Gets user's KnownDevices key contents
landesk 20200517 Software Get list of programs monitored by LANDESK - Software hive
landesk_tln 20130214 Software Get list of programs monitored by LANDESK from Software hive
lastloggedon 20200517 Software Gets LastLoggedOn* values from LogonUI key
licenses 20200526 Software Get contents of HKLM/Software/Licenses key
listsoft 20200517 NTUSER.DAT Lists contents of user's Software key
load 20200517 NTUSER.DAT Gets load and run values from user hive
logonstats 20200517 NTUSER.DAT Gets contents of user's LogonStats key
lsa 20200517 System Lists specific contents of LSA key
lxss 20200511 NTUSER.DAT Gets WSL config.
lxss_tln 20140723 NTUSER.DAT Gets WSL config.
macaddr 20200515 System Software --
mixer 20200517 NTUSER.DAT Checks user's audio mixer settings
mixer_tln 20141112 NTUSER.DAT Checks user's audio mixer info
mmc 20200517 NTUSER.DAT Get contents of user's MMC\Recent File List key
mmc_tln 20120828 NTUSER.DAT Get contents of user's MMC\Recent File List key (TLN)
mmo 20200517 NTUSER.DAT Checks NTUSER for Multimedia\Other values [malware]
mndmru 20200517 NTUSER.DAT Get contents of user's Map Network Drive MRU
mndmru_tln 20120829 NTUSER.DAT Get user's Map Network Drive MRU (TLN)
mountdev 20200517 System Return contents of System hive MountedDevices key
mountdev2 20200517 System Return contents of System hive MountedDevices key
mp2 20200526 NTUSER.DAT Gets user's MountPoints2 key contents
mp2_tln 20200525 NTUSER.DAT Gets user's MountPoints2 key contents
mpmru 20200517 NTUSER.DAT Gets user's Media Player RecentFileList values
msis 20200517 Software Determine MSI packages installed on the system
msoffice 20200518 NTUSER.DAT Get user's MSOffice content
msoffice_tln 20200518 NTUSER.DAT Get user's MSOffice content
muicache 20200525 NTUSER.DAT USRCLASS.DAT Gets EXEs from user's MUICache key
muicache_tln 20130425 NTUSER.DAT USRCLASS.DAT Gets EXEs from user's MUICache key (TLN)
nation 20200517 ntuser.dat Gets region information from HKCU
netlogon 20200515 System Parse values for machine account password changes
netsh 20200515 Software Gets list of NetSH helper DLLs
networkcards 20200518 Software Get NetworkCards Info
networklist 20200518 Software Collects network info from NetworkList key
networklist_tln 20150812 Software Collects network info from NetworkList key (TLN)
networksetup2 20191004 System Get NetworkSetup2 subkey info
nic2 20200525 System Gets NIC info from System hive
ntds 20200427 System Parse Services NTDS key for specific persistence values
null 20160119 All Check key/value names in a hive for leading null char
oisc 20091125 NTUSER.DAT Gets contents of user's Office Internet Server Cache
onedrive 20200515 NTUSER.DAT Gets contents of user's OneDrive key
onedrive_tln 20190823 NTUSER.DAT Gets contents of user's OneDrive key
osversion 20200511 NTUSER.DAT Checks for OSVersion value
osversion_tln 20120608 NTUSER.DAT Checks for OSVersion value (TLN)
outlook_homepage 20201002 NTUSER.DAT Software Retrieve values set to attack Outlook WebView Homepage
pagefile 20140505 System Get info on pagefile(s)
pending 20130711 System Gets contents of PendingFileRenameOperations value
pendinggpos 20200427 NTUSER.DAT Gets contents of user's PendingGPOs key
photos 20200525 USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
Plugin Version Hive Description
portdev 20090118 Software Parses Windows Portable Devices key contents
powershellcore 20200525 Software Extracts PowerShellCore settings
prefetch 20200515 System Gets the the Prefetch Parameters
printdemon 20200514 Software Gets value assoc with printer ports and descriptions
printmon 20200427 System Lists installed Print Monitors
printmon_tln 20191122 System Lists installed Print Monitors
processor_architecture 20140505 System Get from the processor architecture from the System's environment key
profilelist 20200518 Software Get content of ProfileList key
profiler 20200525 NTUSER.DAwindows.memmap.MemmapT System Environment profiler information
pslogging 20200515 NTUSER.DAT Software Extracts PowerShell logging settings
psscript 20200525 Software NTUSER.DAT Get PSScript.ini values
putty 20200515 NTUSER.DAT Extracts the saved SshHostKeys for PuTTY.
rdpport 20200526 System Queries System hive for RDP Port
recentapps 20200515 NTUSER.DAT Gets contents of user's RecentApps key
recentapps_tln 20190513 NTUSER.DAT Gets contents of user's RecentApps key
recentdocs 20200427 NTUSER.DAT Gets contents of user's RecentDocs key
recentdocs_tln 20140220 NTUSER.DAT Gets contents of user's RecentDocs key (TLN)
remoteaccess 20200517 System Get RemoteAccess AccountLockout settings
rlo 20200517 All Parse hive, check key/value names for RLO character
routes 20200526 System Get persistent routes from the Registry
run 20200511 Software NTUSER.DAT [Autostart] Get autostart key contents from Software hive
runmru 20200525 NTUSER.DAT Gets contents of user's RunMRU key
runmru_tln 20120828 NTUSER.DAT Gets contents of user's RunMRU key (TLN)
runonceex 20200427 Software Gets contents of RunOnceEx values
runvirtual 20200427 NTUSER.DAT Software Gets RunVirtual entries
runvirtual_tln 20191211 NTUSER.DAT Software Gets RunVirtual entries
ryuk_gpo 20200427 Software Get GPO policy settings from Software hive related to Ryuk
samparse 20200825 SAM Parse SAM file for user & group mbrshp info
samparse_tln 20200826 SAM Parse SAM file for user acct info (TLN)
ScanButton 20131210 System Get Scan Button information
schedagent 20200518 Software Get SchedulingAgent key contents
scriptleturl 20200525 Software USRCLASS.DAT Check CLSIDs for ScriptletURL subkeys
searchscopes 20200517 NTUSER.DAT Gets contents of user's SearchScopes key
secctr 20200517 Software Get data from Security Center key
secrets 20200517 Security Get the last write time for the Policy\Secrets key
secrets_tln 20140814 Security Get the last write time for the Policy\Secrets key
securityproviders 20200526 System Gets SecurityProvider value from System hive
services 20191024 System Lists services/drivers in Services key by LastWrite times
sevenzip 20210329 NTUSER.DAT Gets records of histories from 7-Zip keys
sfc 20200517 Software Get SFC values
shares 20200525 System Get list of shares from System hive file
shc 20200427 NTUSER.DAT Gets SHC entries from user hive
shellbags 20200428 USRCLASS.DAT Shell/BagMRU traversal in Win7+ USRCLASS.DAT hives
shellbags_tln 20180702 USRCLASS.DAT Shell/BagMRU traversal in Win7 USRCLASS.DAT hives
shellfolders 20200515 NTUSER.DAT Gets user's shell folders values
shelloverlay 20100308 Software Gets ShellIconOverlayIdentifiers values
shimcache 20200428 System Parse file refs from System hive AppCompatCache data
shimcache_tln 20190112 System Parse file refs from System hive AppCompatCache data
shutdown 20200518 System Gets ShutdownTime value from System hive
sizes 20200517 All Scans a hive file looking for binary value data of a min size (5000)
slack 20200517 All Parse hive, print slack space, retrieve keys/values
slack_tln 20190506 All Parse hive, print slack space, retrieve keys/values
source_os 20200511 System Parse Source OS subkey values
speech 20200427 NTUSER.DAT Get values from user's Speech key
speech_tln 20191010 NTUSER.DAT Get values from user's Speech key
spp_clients 20130429 Software Determines volumes monitored by VSS
srum 20200518 Software Gets contents of SRUM subkeys
ssid 20200515 Software Get WZCSVC SSID Info
susclient 20200518 Software Extracts SusClient* info, including HDD SN (if avail)
svc 20200525 System Lists Services key contents by LastWrite time (CSV)
svcdll 20200525 System Lists Services keys with ServiceDll values
svc_tln 20130911 System Lists Services key contents by LastWrite time (CSV)
syscache 20200515 syscache Parse SysCache.hve file
syscache_csv 20200515 syscache
syscache_tln 20190516 syscache
sysinternals 20080324 NTUSER.DAT Checks for SysInternals apps keys
sysinternals_tln 20080324 NTUSER.DAT Checks for SysInternals apps keys (TLN)
systemindex 20200518 Software Gets systemindex\..\Paths info from Windows Search key
taskcache 20200427 Software Checks TaskCache\Tree root keys (not subkeys)
taskcache_tln 20200416 Software Checks TaskCache\Tree root keys (not subkeys)
tasks 20200427 Software Checks TaskCache\Tasks subkeys
tasks_tln 20200416 Software Checks TaskCache\Tasks subkeys
termcert 20200526 System Gets Terminal Server certificate
termserv 20200506 System Software Gets Terminal Server settings from System and Software hives
thispcpolicy 20200511 Software Gets ThisPCPolicy values
timezone 20200518 System Get TimeZoneInformation key contents
tracing 20200511 Software Gets list of apps that can be traced
tracing_tln 20120608 Software Gets list of apps that can be traced (TLN)
tsclient 20200518 NTUSER.DAT Displays contents of user's Terminal Server Client\Default key
tsclient_tln 20120827 NTUSER.DAT Displays contents of user's Terminal Server Client key (TLN)
typedpaths 20200526 NTUSER.DAT Gets contents of user's typedpaths key
typedpaths_tln 20120828 NTUSER.DAT Gets contents of user's typedpaths key (TLN)
typedurls 20200526 NTUSER.DAT Returns contents of user's TypedURLs key.
typedurlstime 20200526 NTUSER.DAT Returns contents of user's TypedURLsTime key.
typedurlstime_tln 20120613 NTUSER.DAT Returns contents of Win8 user's TypedURLsTime key (TLN).
typedurls_tln 20120827 NTUSER.DAT Returns MRU for user's TypedURLs key (TLN)
uac 20200427 Software Get Select User Account Control (UAC) Values from HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
uacbypass 20200511 USRCLASS.DAT Software Get possible UAC bypass settings
uninstall 20200525 Software NTUSER.DAT Gets contents of Uninstall keys from Software, NTUSER.DAT hives
uninstall_tln 20120523 Software NTUSER.DAT Gets contents of Uninstall keys from Software, NTUSER.DAT hives(TLN format)
usb 20200515 System Get USB key info
usbdevices 20200525 System Parses Enum\USB key for USB & WPD devices
usbstor 20200515 System Get USBStor key info
userassist 20170204 NTUSER.DAT Displays contents of UserAssist subkeys
userassist_tln 20180710 NTUSER.DAT Displays contents of UserAssist subkeys in TLN format
volinfocache 20200518 Software Gets VolumeInfoCache from Windows Search key
wab 20200427 Software Get WAB DLLPath settings
wab_tln 20191122 Software Get WAB DLLPath settings
watp 20200427 Software Gets contents of Windows Advanced Threat Protection key
wbem 20200511 Software Get some contents from WBEM key
wc_shares 20200515 NTUSER.DAT Gets contents of user's WorkgroupCrawler/Shares subkeys
winlogon_tln 20130429 Software Alerts on values from the WinLogon key (TLN)
winrar 20200526 NTUSER.DAT Get WinRAR\ArcHistory entries
winrar_tln 20120829 NTUSER.DAT Get WinRAR\ArcHistory entries (TLN)
winscp 20201227 NTUSER.DAT Gets user's WinSCP 2 data
winver 20200525 Software Get Windows version & build info
winzip 20200526 NTUSER.DAT Get WinZip extract and filemenu values
wordwheelquery 20200823 NTUSER.DAT Gets contents of user's WordWheelQuery key
wordwheelquery_tln 20200824 NTUSER.DAT Gets contents of user's WordWheelQuery key
wow64 20200515 Software Gets contents of WOW64\x86 key
wpdbusenum 20200515 System Get WpdBusEnum subkey info
wsh_settings 20200517 Software Gets WSH SettingsInstall
see foralysereglookup
reglookup [-v] [-s] [-p <PATH_FILTER>] [-t <TYPE_FILTER>] <REGISTRY_FILE>
Print windows registry elements to stdout in a CSV-like format
Special
for hive in SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat); do echo $hive; reglookup -i $hive > /share/examen/disk/hive/reglookup_${hive//\//_}; doneUsefull
-p # restrict output to elements below this path.
-H # disables header row.
-s # enables security descriptor output.All
-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-s # enables security descriptor output.
-S # disables security descriptor output. (default)
-p # restrict output to elements below this path.
-t # restrict results to this specific data type.
-i # includes parent key modification times with child values.reglookup-timeline
reglookup-timeline [-H] [-V] <REGISTRY_FILE> [<REGISTRY_FILE> ...]
Builds timelines for forensic investigations, a wrapper for reglookup
Special
cd /vol6/Windows/System32/config && hives="SAM SECURITY SOFTWARE SYSTEM $(find /vol6/ -iname ntuser.dat)" && reglookup-timeline -v $hives > /share/examen/disk/hive/reglookup-tl # complete timeline
sed -n '/^2021-09-09 18:1/,$p' reglookup-tl > reglookup-tl-select # select part of timelineAll
-H # Omit header line
-V # Include values with parent timestampsreglookup-recover
reglookup-recover [options] <REGISTRY_FILE>
Attempts to scour a Windows registry hive for deleted data structures and outputs those found in a CSV-like format
All
-v # sets verbose mode.
-h # enables header row. (default)
-H # disables header row.
-l # enables leftover(raw) cell output.
-L # disables leftover(raw) cell output. (default)
-r # enables raw cell output for parsed cells.
-R # disables raw cell output for parsed cells. (default)Install
sudo apt install reglookuptheme
windows version
regripper -p winver -r $path_hive/SOFTWARE
reglookup -p Software/Microsoft $path_hive/SYSTEM | column -t -s,user password
path_hive=/vol6/Windows/System32/config
path2=/cases/examen/artefacts
# get user id
reglookup -p SAM/Domains/Account/Users ${path_hive}/SAM | grep -i angela # select 0x.....
# data
uid=000003E9
hivexget ${path_hive}/SAM "SAM\Domains\Account\Users\000003E9" V | hexdump -ve '8/1 "%02X"' > ${path2}/sam-user-v.hexdump
hivexget ${path_hive}/SAM "SAM\Domains\Account" F | hexdump -ve '8/1 "%02X"' > ${path2}/sam-f.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\JD" lookup | hexdump -ve '8/1 "%02X"' > ${path2}/system-jd.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\Skew1" SkewMatrix | hexdump -ve '8/1 "%02X"' > ${path2}/system-skew.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\GBG" GrafBlumGroup | hexdump -ve '8/1 "%02X"' > ${path2}/system-gbg.hexdump
hivexget ${path_hive}/SYSTEM "ControlSet001\Control\Lsa\Data" Pattern | hexdump -ve '8/1 "%02X"' > ${path2}/system-data.hexdump
for file in $(ls ${path2}); do echo $file; cat $file; echo; doneregripper
reglookup
reglookup-timeline
pathhive=$device/Windows/System32/config
pathreport=/share/examen/disk
cd $path
reglookup-timeline SAM SECURITY SOFTWARE SYSTEM > $pathreport/reglookup-timelinewindows
security center
disable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]"Start"=dword:00000004
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]"Start"=dword:00000004enable
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]"Start"=dword:00000002
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]"Start"=dword:00000002cmp [OPTION]... FILE1 [FILE2 [SKIP1 [SKIP2]]]
Compare two files byte by byte
Special
cmp $file1 $file2 # compare 2 binary files
cmp -l $file1 $file2 | wc -l # get number of diferrencesUsefull
-b, --print-bytes # print differing bytes
-n, --bytes=LIMIT # compare at most LIMIT bytesAll
-b, --print-bytes # print differing bytes
-i, --ignore-initial=SKIP # skip first SKIP bytes of both inputs
-i, --ignore-initial=SKIP1:SKIP2 # skip first SKIP1 bytes of FILE1 and first SKIP2 bytes of FILE2
-l, --verbose # output byte numbers and differing byte values
-n, --bytes=LIMIT # compare at most LIMIT bytes
-s, --quiet, --silent # suppress all normal outputmount
info
file ${file} # show informations
fdisk -x ${file} # show informations
qemu-img info ${file} # show informations on virtual disk
guestfish --rw -a $file
run
list-filesystems
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo qemu-nbd -d /dev/nbd0
parted ${file}
print
losetup -a # show mounted devices in /dev/loopXresize
qemu-img resize -f raw ${file} 20972568064 # resize disk to 20972568064 bytes (correct disk size)
parted ${file}
select # select disk (interactive menu)
resizepart # resize partition (interactive menu)mount/umount
guestmount --add %f --mount /dev/sda1 /vms/data
guestunmount /vms/data
sudo modprobe nbd
sudo qemu-nbd -c /dev/nbd0 ${file} -f qcow2
sudo fdisk /dev/nbd0 -l
sudo mount /dev/nbd0p1 /vms/data
sudo umount /vms/data
sudo qemu-nbd -d /dev/nbd0
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo mount -o ro,loop,offset=$((1126400*512)) ${file} /mnt # mount disk partition with the partition offset
sudo umount /mnt # umount disk
sudo losetup --find --show ${file} # mount disk in /dev/loopX and show /dev/loopX
sudo losetup --find --show --offset ${offset} ${file} # mount partition/disk with offset in /dev/loopX and show /dev/loopX
sudo losetup -d /dev/loopX # umount diskinfo
https://opensource.com/article/18/3/creating-bash-completion-script
COMPREPLY
an array variable used to store the completions. The completion mechanism uses this variable to display its contents as completions
COMPREPLY=( $(compgen -W "now tomorrow never" -- ${COMP_WORDS[COMP_CWORD]}) ) # propose given words at each let choose the first completion from given words and repeat it after (replace)
COMPREPLY=( $(compgen -W "now tomorrow never" "${COMP_WORDS[1]}") ) # let choose the first completion from given words and repeat it after (replace)complete
complete command to register this list for completion
complete -A directory $cmd # provide completion for directory
complete -d $cmd # provide completion for directory
complete -D $cmd # provide completion for directory
complete -f $cmd # provide completion for file
complete -W "$words" $cmd # Wordlist, provide the list of words for completion to command $cmd
complete -F _foo $cmd # use function _foo_comp to register completions for command $cmdcompopt
https://helpmanual.io/man1/bash/
variables
COMP_WORDS # an array of all the words typed after the name of the program the compspec belongs to
COMP_CWORD # an index of the COMP_WORDS array pointing to the word the current cursor is at—in other words
COMP_LINE # the current command linetricks
exec bash # reload completionsexamples
qemu-img
#!/usr/bin/env bash
_qemuimg_comp()
{
COMPREPLY=()
local cur=${COMP_WORDS[COMP_CWORD]}
local prev="${COMP_WORDS[COMP_CWORD-1]}"
local opts='amend bench bitmap check commit compare convert create dd info map measure snapshot rebase resize'
local formats='blkdebug blklogwrites blkverify bochs cloop compress copy-before-write copy-on-read dmg file ftp ftps gluster host_cdrom host_device http https iscsi iser luks nbd nfs null-aio null
-co nvme parallels preallocate qcow qcow2 qed quorum raw rbd replication snapshot-access ssh throttle vdi vhdx vmdk vpc vvfat'
#echo "COMP_LINE=$COMP_LINE" >> /tmp/qemu
#echo "COMP_WORDS=$COMP_WORDS[@] | COMP_CWORD=$COMP_CWORD" >> /tmp/qemu
#echo "cur=$cur | prev=$prev" >> /tmp/qemu
if [ ${COMP_CWORD} -eq 1 ]; then
COMPREPLY=( $(compgen -W "${opts}" -- "${cur}" ) )
return 0
elif [[ $prev =~ -[oOf] ]]; then
COMPREPLY=( $(compgen -W "${formats}" -- "${cur}" ) )
else
COMPREPLY=( $(compgen -f -- "${cur}") )
if [ -d "${COMPREPLY}" ]; then
compopt -o nospace
COMPREPLY=${COMPREPLY}/
fi
fi
} &&
complete -F _qemuimg_comp qemu-imghaconf
#!/usr/bin/env bash
#
# Bash completion function for the 'haconf' command.
_haconf()
{
local cur prev path_enabled path_available opts
path_enabled="/etc/haproxy/conf-enabled"
path_available="/etc/haproxy/conf-available"
__disabled() {
local confs conf notused
confs="$(ls "${path_available}")"
for conf in ${confs}; do
! [ -h "${path_enabled}/${conf}" ] && notused="${notused} ${conf}"
done
echo ${notused}
}
__enabled() {
ls ${path_enabled}
}
COMPREPLY=()
cur=${COMP_WORDS[COMP_CWORD]}
prev=${COMP_WORDS[COMP_CWORD-1]}
# primary commans
opts='check clear enable disable list reload'
# level 1 for commands
if [ $COMP_CWORD -eq 1 ]; then
COMPREPLY=( $(compgen -W "${opts}" -- "${cur}") )
return 0
# level 2 for arguments
else
case $prev in
enable)
COMPREPLY=( $(compgen -W "$(__disabled)" -- "$cur" ) )
return 0
;;
disable)
COMPREPLY=( $(compgen -W "$(__enabled)" -- "$cur" ) )
return 0
;;
esac
fi
}
complete -F _haconf haconfxxd [options] [infile [outfile]]
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
ASCII, decimal, hexadecimal, octal dump
Special
xxd -p -c 10000 # export in hexa with 10000 octets by column
xxd -p -u -c 10000 # export in hexa with 10000 octets by column and in uppercase
xxd -s 0x200 -l 0x200 dump.vmdk| xxd -r # print readable contentUsefull
-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-l len # stop after <len> octets
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-u # use upper case hex lettersAll
-a # toggle autoskip: A single '*' replaces nul-lines. Default off
-b # binary digit dump (incompatible with -ps,-i,-r). Default hex
-C # capitalize variable names in C include file style (-i)
-c cols # format <cols> octets per line. Default 16 (-i: 12, -ps: 30)
-E # show characters in EBCDIC. Default ASCII
-e # little-endian dump (incompatible with -ps,-i,-r)
-g bytes # number of octets per group in normal output. Default 2 (-e: 4)
-i # output in C include file style
-l len # stop after <len> octets
-o off # add <off> to the displayed file position
-ps # output in postscript plain hexdump style
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-d # show offset in decimal instead of hex
-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-u # use upper case hex lettersInstall
sudo apt install bsdmainutilssystem
sudo sh -c "echo 'fs.file-max=3253172' > /etc/sysctl.d/90-cuckoo.conf"
file=/etc/security/limits.conf
sudo cp -a ${file} ${file}.$(date +%s)
sudo sh -c "echo '
# cuckoo
* soft nofile 4096
* hard nofile 16384' >> ${file}"logout / login
mongodb
service
service=mongodb.service
systemctl is-enabled ${service} || sudo systemctl enable ${service}
systemctl is-active ${service} || sudo systemctl start ${service}
systemctl status ${service}
ss -ltn|grep 27017 users
mongodb.createUser({ user: "admin", pwd: "7Yt_Gi-sYgCsr", roles:[{ role: "userAdminAnyDatabase", db: "admin" }] })
db.getUsers()
use cuckoo
db.createUser({ user: "cuckoo", pwd: "8hm6_FevpUA5od", roles:[{ role: "dbOwner", db: "cuckoo" }] })
db.getUsers()
show dbs
exitconf
file=/etc/mongodb.conf
while read str val; do
sudo sed -i "s|#\?\(${str}\) *=.*$|\1 = ${val}|" ${file}
done <<< "port 27017
journal true
auth true
verbose true"
sudo systemctl restart ${service}postgresql
service=postgresql.service
systemctl is-enabled ${service} || sudo systemctl enable ${service}
systemctl is-active ${service} || sudo systemctl start ${service}
systemctl status ${service}
ss -ltn|grep 5432
sudo -u postgres psqlpsql
\du
CREATE DATABASE cuckoo;
CREATE USER cuckoo WITH ENCRYPTED PASSWORD '8hm6_FevpUA5od';
GRANT ALL PRIVILEGES ON DATABASE cuckoo TO cuckoo;
\du
\qguacd
service=guacd.service
systemctl is-enabled ${service} || sudo systemctl enable ${service}
systemctl is-active ${service} || sudo systemctl start ${service}
systemctl status ${service}
ss -ltn|grep 4822cuckoo
create
[ -d ~/.cuckoo ] || cuckoo -d
cp -a ~/.cuckoo ~/.cuckoo.$(date +%s)cuckoo
file=~/.cuckoo/conf/cuckoo.conf
while read str val; do
sed -i "/${str} =/ s|=.*$|= ${val}|" ${file}
done <<< "machinery kvm
memory_dump yes
ip 192.168.122.1
connection postgresql://cuckoo:8hm6_FevpUA5od@localhost:5432/cuckoo
guacd_host localhost
guacd_port 4822"auxiliary
file=~/.cuckoo/conf/auxiliary.conf
while read str val; do
sed -i "/${str} =/ s|=.*$|= ${val}|" ${file}
done <<< "tcpdump /usr/sbin/tcpdump
mitmdump /usr/local/bin/mitmdump"kvm
update VMs in ~/.cuckoo/conf/kvm.conf
memory
file=~/.cuckoo/conf/memory.conf
while read str val; do
sed -i "/${str} =/ s|=.*$|= ${val}|" ${file}
done <<< "guest_profile Win7SP1x64
delete_memdump no"processing
file=~/.cuckoo/conf/processing.conf
sed -i "/^.memory.$/,/^$/ s|^enabled = .*$|enabled = yes|" ${file}reporting
file=~/.cuckoo/conf/reporting.conf
# singlefile
sed -i "/^.singlefile.$/,/^$/ s|^enabled = .*$|enabled = yes|" ${file}
sed -i "/^.singlefile.$/,/^$/ s|^html = .*$|html = yes|" ${file}
sed -i "/^.singlefile.$/,/^$/ s|^pdf = .*$|pdf = yes|" ${file}
# mongodb
db_name=cuckoo
db_user=cuckoo
db_pwd=8hm6_FevpUA5od
sed -i "/^.mongodb.$/,/^$/ s|^enabled = .*$|enabled = yes|" ${file}
sed -i "/^.mongodb.$/,/^$/ s|^db = .*$|db = ${db_name}|" ${file}
sed -i "/^.mongodb.$/,/^$/ s|^username = .*$|username = ${db_user}|" ${file}
sed -i "/^.mongodb.$/,/^$/ s|^password = .*$|password = ${db_pwd}|" ${file}interface
user=nikita
hostbr=virbr0
vms="win7 "
for vm in win7; do
sudo tunctl -b -u ${user} -t tap_${vm}
sudo ip link set tap_${vm} master ${hostbr}
sudo ip link set dev tap_${vm} up
sudo ip link set dev ${hostbr} up
donepython
time
disable time settings from internet
set static IP address (disable DHCP)
address 192.168.122.101
gateway 192.168.122.1 / 255.255.255.0
DNS 208.67.222.222, 208.67.222.220windows
add ;c:\python27;c:\python27\script;C:\Program Files (x86)\GnuWin32\bin to PATH
install python-2.7.10.amd64.msi
install wget-1.11.4-1-setup.exe
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
python.exe get-pip.py
pip install -U setuptoolspillow
pip install --U Pillowagent
get from host: $CWD/agent.py
rename, put in guest: C:\ProgramData\Microsoft\Start Menu\programs\Startup\agent.pyw
https://cuckoo.sh/docs/installation/host/requirements.html
xubuntu 18.04 "bionic"
global
sudo apt update
sudo apt-get install -y git swig libjpeg-dev zlib1g-dev libffi-dev libssl-dev
sudo apt-get install -y virt-win-reg libhivex-bin # registrypython
Requirement
local vs global
# pip for user installation
pip=pip
# pip for root installation
pip="sudo -H pip"sudo apt install -y python python-pip python-dev
# sudo apt-get install -y python-virtualenv
$pip install -U pip setuptoolsbalbuzard
$pip install -U balbuzardpydeep
# ssdeep
sudo apt install -y ssdeep libfuzzy-dev
sudo ldconfig
# pydeep
$pip install pydeep
# sudo apt install -y git
# cd /tmp && git clone https://github.com/kbandla/pydeep && cd pydeep
# python setup.py build && python setup.py test
# sudo python setup.py installm2crypto
$pip install m2crypto # $pip install m2crypto==0.24.0volatility
https://github.com/volatilityfoundation/volatility/wiki/Installation
libforensic1394.so.2
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
cd
sudo rm -fR /tmp/libforensic1394
sudo ln -sv /usr/local/lib/libforensic1394.so.2 /usr/lib/libforensic1394.so.2pip packages
sudo apt -y install pcregrep libpcre++-dev python-dev
$pip install pycrypto distorm3 yara-python ujson openpyxl pytz ipythonvolatility
cd /opt
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo ln -sv vol.py vol2
vol2 -hbash completion
sudo cp -a /home/shared/dev/install-desktop/conf/cuckoo/vol2 /usr/share/bash-completion/completions/
opts=$(vol2 --info|sed -n '/^Plugins/,/^$/ p'|tail -n+3|cut -f1 -d' '|xargs)
sudo sed -i "s|^\( *opts=\).*$|\1'${opts}'|" /usr/share/bash-completion/completions/vol2
exec bash # reload completionsDB
django
sudo apt-get install -y mongodbpostgresql
sudo apt-get install -y postgresql libpq-dev
$pip install psycopg2packages
guacd
sudo apt install -y libguac-client-rdp0 libguac-client-vnc0 libguac-client-ssh0 guacdtcpdump
sudo apt-get install -y tcpdump
# sudo apt-get install -y tcpdump apparmor-utils
# sudo aa-disable /usr/sbin/tcpdump
sudo groupadd pcap
sudo chgrp pcap /usr/sbin/tcpdump
sudo setcap cap_net_raw,cap_net_admin=eip /usr/sbin/tcpdump
# verification
getcap /usr/sbin/tcpdump # /usr/sbin/tcpdump = cap_net_admin,cap_net_raw+eipmitmproxy
https://mitmproxy.org/downloads/
version=3.0.4
path=/opt/mitmproxy
[ -d ${path} ] || mkdir ${path}
cd ${path}
wget https://snapshots.mitmproxy.org/${version}/mitmproxy-v${version}-linux.tar.gz
wget https://snapshots.mitmproxy.org/${version}/pathod-v${version}-linux.tar.gz
tar xzf mitmproxy-v${version}-linux.tar.gz
tar xzf pathod-v${version}-linux.tar.gz
files="mitmdump mitmproxy mitmweb pathoc pathod"
for file in $files; do sudo ln -sv ${path}/${file} /usr/local/bin/${file}; done
for file in $files; do sudo ls -al /usr/bin/${file}; doneqemu/kvm
sudo apt-get install -y qemu-kvm libvirt-bin ubuntu-vm-builder bridge-utils python-libvirt virt-manager libguestfs-tools uml-utilities
sudo adduser ${USER} libvirt-qemu
for path in /vms/data /vms/iso; do sudo [ -d ${path} ] || sudo mkdir ${path}; done
sudo setfacl -R -m u:$USER:rw /vms/data /vms/iso
sudo setfacl -R -m d:$USER:rw /vms/data /vms/isothunar
$HOME/.config/Thunar/uca.xml
<action>
<icon>edit-copy</icon>
<name>Duplicate root</name>
<unique-id>1635257948652123-2</unique-id>
<command>pkexec cp -a %f %f.copy</command>
<description>Duplicate root</description>
<patterns>*</patterns>
<directories/>
<audio-files/>
<image-files/>
<other-files/>
<text-files/>
<video-files/>
</action>
<action>
<icon>media-import-audio-cd</icon>
<name>iso</name>
<unique-id>1653055089123473-10</unique-id>
<command>mkisofs -Jro /vms/iso/tmp.iso %F</command>
<description>make iso in vms/iso/tmp.iso</description>
<patterns>*</patterns>
<startup-notify/>
<directories/>
<audio-files/>
<image-files/>
<other-files/>
<text-files/>
<video-files/>
</action>
<action>
<icon>go-bottom</icon>
<name>mount data</name>
<unique-id>1653055065395840-9</unique-id>
<command>guestmount --add %f --mount /dev/sda1 /vms/data</command>
<description>guest mount in /vms/data</description>
<patterns>*.qcow2;*.img;*.raw</patterns>
<other-files/>
</action>
<action>
<icon>go-top</icon>
<name>unmount data</name>
<unique-id>1653055105839871-11</unique-id>
<command>guestunmount /vms/data</command>
<description>guest unmount /vms/data</description>
<patterns>*</patterns>
<startup-notify/>
<directories/>
<audio-files/>
<image-files/>
<other-files/>
<text-files/>
<video-files/>
</action>cuckoo
direct
$pip install -U cuckoovirtualenv
cd /opt
virtualenv venv
. venv/bin/activate
$pip install -U cuckooxubuntu 18.04 bionic
update
sudo apt update
sudo apt list --upgradable
sudo apt dist-upgrade
sudo apt autoremove
sudo apt autoclean
sudo apt cleansystem
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/rtl_nic/
cd /tmp
wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/rtl_nic/rtl8168fp-3.fw
wget https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/rtl_nic/rtl8125a-3.fw
sudo cp rtl81* /lib/firmware/rtl_nic/
sudo update-initramfs -uprepare
. /server/server.conf
. /server/install.conf
sudo mount /btrfs/sys
sdate=$(date +%s)
btrfs_sys=focal
btrfs_user=user-focalgrub
# update /etc/grub/40_custom
sudo sed -i '/^GRUB_TIMEOUT=/ s|=.*|=2|' /etc/default/grub
sudo update-grubinit
path_install_conf=${S_PATH_INSTALL_CONF/install-desktop/install}
path_install_bash_completion=${S_PATH_INSTALL_CONF}/bash-completion
file_env=${S_PATH_SCRIPT_CONF}/env
file_bash_aliases=${S_PATH_SCRIPT_CONF}/.bash_aliases
file_bash_functions=${S_PATH_SCRIPT_CONF}/.bash_functions
file_vimrc="${S_PATH_SCRIPT_CONF}/.vimrc"
sudo software-properties-gtk
sudo adduser ${USER} users; sudo adduser ${USER} www-data
sudo adduser ${USER} audio; sudo adduser ${USER} video
file=~/.bash_aliases
[ -e ${file} ] && _eval rm ${file}
ln -s ${file_bash_aliases} ${file}
file=~/.bash_functions
[ -e ${file} ] && _eval rm ${file}
ln -s ${file_bash_functions} ${file}
sudo cp -a ${S_PATH_INSTALL_CONF}/bash-completion/* /usr/share/bash-completion/completions/
file=~/.bashrc
cp -a ${file} ${file}.${sdate}
sed -i 's|^\(HISTSIZE\)=.*$|\1=10000|' ${file}
sed -i 's|^\(HISTFILESIZE\)=.*$|\1=20000|' ${file}
sed -i '/^#force_color_prompt/ s|^#||' ${file}
color='\\[\\033[01;34m\\]'
sed -i 's|^\( *\)\(PS1.*033.*32m.*\)$|\1PS1="\${debian_chroot:+(\$debian_chroot)}\\['${color}'\\]\\u\\[\\e[1;37m\\]@\\['${color}'\\]\\h\\[\\e[1;37m\\]:\\W\\['${color}'\\]\$\\[\\e[0;0m\\]\"|' ${file}
sed -i 's|^#\?\(force_color_prompt\).*$|\1=yes|' ${file}
grep -q "${file_env}" ${file} || echo "
# source global variables
[ -f ${file_env} ] && . ${file_env}
[ -f ~/.bash_functions ] && . ~/.bash_functions
" >> ${file}
grep -q '. ~/.bash_aliases' ${file} || echo "[ -f ~/.bash_aliases ] && . ~/.bash_aliases
" >> ${file}
. ${file}
sudo cp -a /btrfs/sys/${btrfs_sys}/etc/hosts /etc/hosts
/home/shared/dev/keep/share-link nikitaroot
file="/root/.bashrc"
sudo cp -a /root/.bashrc /root/.bashrc$(date +%s)
color_root="\033[01;31m"
case "$S_SERVER_TYPE" in home) color='\\[\\033[01;34m\\]' ;; ovh) color='\\[\\033[01;32m\\]' ;; vz) color='\\[\\033[01;33m\\]' ;; lxd) color='\\[\\033[01;33m\\]' ;; kvm) color='"\\[\\033[01;38;5;172m\\]' ;; *) color='\\[\\033[01;34m\\]'; color_root=$color ;; esac
# force color
sudo sed -i '/^#force_color_prompt=/ s|#||' ${file}
# PS1
ps1='${debian_chroot:+($debian_chroot)}'${color}'\\h\\[\\033[00m\\]\\w\\[\\033[01;31m\\]\\$\\[\\033[00m\\]'
# no root
#ps1='${debian_chroot:+($debian_chroot)}\\[\\033[01;31m\\]\\u\\[\\033[00m\\]@\\[\\033[01;32m\\]\\h\\[\\033[00m\\]:\\w\\[\\033[01;31m\\]\\$\\[\\033[00m\\]'
sudo sed -i "\|if \[ \"\$color_prompt\" = yes \]|{n;s|=.*|='$ps1'|}" ${file}
! sudo grep -q "${S_PATH_SCRIPT_CONF}/env" ${file} && sudo sh -c "echo '
# source global variables
[ -f ${S_PATH_SCRIPT_CONF}/env ] && . ${S_PATH_SCRIPT_CONF}/env
# aliases
[ -f ~/.bash_aliases ] && . ~/.bash_aliases
# functions
[ -f ~/.bash_functions ] && . ~/.bash_functions
' >> ${file}"
file=/root/.bash_aliases
sudo [ -f ${file} ] && sudo rm ${file}
sudo ln -s "$file_bash_aliases" ${file}
file=/root/.bash_functions
sudo [ -f ${file} ] && sudo rm ${file}
sudo ln -s "$file_bash_functions" ${file}
file=/root/.vimrc
sudo [ -f ${file} ] && sudo rm ${file}
sudo ln -sv "${file_vimrc}" ${file}snap
snap list --all
# sudo snap remove --revision ${rev} ${pck}install
sudo apt install -y curl debconf-utils gnupg2 htop net-tools p7zip-full p7zip-rar pv rar testdisk tree unrar xsysinfo
sudo apt install -y meld most lnav dconf-editor galculator
sudo apt install -y binutils-common bsdmainutils pev wxhexeditor # binwalk
sudo apt install -y gpicview thunar-media-tags-plugin tumbler-plugins-extraforensic
sudo apt install -y binutils-common bsdmainutils pev radare2 bless wxhexeditor # binwalkvim
sudo apt install -y vim
cd
ln -sv "${file_vimrc}" .vimrc
sudo cp /home/shared/dev/install/conf/vim/* /usr/share/vim/vim*/colors/tmux
sudo apt install -y tmux
ln -vs /usr/local/bs/conf/.tmux.conf .tmux.conf
ln -sv /home/shared/.tmux.tmux
cd /usr/share/bash-completion/completions/
sudo rm tmux
sudo ln -sv tmux.git tmux
tmux athunar
sudo cp -a /btrfs/sys/user-pahvo/.config/Thunar/uca.xml ~/.config/Thunar/qt5
sudo apt install -y qt5ct qt5-gtk-platformtheme qt5-style-plugins
sudo sh -e 'echo "QT_QPA_PLATFORMTHEME=qt5ct" >> /etc/environment'
export QT_QPA_PLATFORMTHEME=qt5ctplank
sudo apt install -y plank
path=~/.config/autostart
[ -d ${path} ] || mkdir ${path}
echo '[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=plank
Comment=plank
Exec=plank
OnlyShowIn=XFCE;
RunHook=0
StartupNotify=false
Terminal=false
Hidden=false' > ${path}/plank.desktop
plank --preferences &sublimetext
file="/etc/hosts"
sudo sh -c "echo '\n# sublime-text hack\n127.0.0.1\tsublimetext.com\n127.0.0.1\twww.sublimetext.com\n127.0.0.1\tlicense.sublimehq.com' >> ${file}"
ips="45.55.255.55"
for ip in ${ips}; do sudo iptables -A OUTPUT -d ${ip} -j DROP; done
path=/etc/iptables
[ -d "${path}" ] || sudo mkdir "${path}"
sudo sh -c 'iptables-save > /etc/iptables/rules.v4'
cat ${S_PATH_INSTALL_CONF}/soft/sublime-text.license
path=~/.local/share/applications
[ -d "${path}" ] || sudo mkdir "${path}"
tar xzf /ext/shared/Soft/linux/backup/sublime_text_20220516-1652694297.tar.gz -C /tmp/
cd /tmp/
mv opt/sublime_text/ /opt/
mv home/nikita/.config/sublime-text-3/ ~/.config/
mv home/nikita/.sublime-project/ ~/
mv home/nikita/.local/share/applications/sublime-text.desktop ~/.local/share/applications/
[ -e ~/.local/share/applications ] || mkdir ~/.local/share/applications
mv home/nikita/.local/share/applications/sublime-text.desktop ~/.local/share/applications/
mozilla
sudo add-apt-repository -y ppa:ppa-mozillateam
sudo apt remove --purge firefox
sudo snap remove --purge firefox
sudo sh -c "echo 'Package: *
Pin: release o=LP-PPA-mozillateam
Pin-Priority: 1001' > /etc/apt/preferences.d/mozilla-firefox"
apt policy firefox
sudo apt install -y firefox
cd
cp -a /home/shared/.mozilla.ubu /home/shared/.mozilla.ubu.${sdate}
ln -sv /home/shared/.mozilla.ubu .mozilla
cp -a /home/shared/.thunderbird.ubu /home/shared/.thunderbird.ubu.${sdate}
ln -sv /home/shared/.thunderbird.ubu .thunderbirdmudita24
sudo apt install -y mudita24
echo "[Desktop Entry]
Encoding=UTF-8
Version=0.9.4
Type=Application
Name=mudita24
Comment=mudita24
Exec=mudita24
OnlyShowIn=XFCE;
StartupNotify=false
Terminal=false
Hidden=true" > ~/.config/autostart/mudita24.desktopgmusicbrowser
sudo add-apt-repository ppa:tomtomtom/gmusicbrowser
sudo apt update
sudo apt install -y gmusicbrowser
sudo cp -a /btrfs/sys/user-pahvo/.config/gmusicbrowser ~/.config/
gmusicbrowser &background
# background desktop
sudo cp /home/shared/dev/install-desktop/conf/wp/xubuntu-development-dark.jpg /usr/share/xfce4/backdrops/
# shortcut keyboard
# xfce4-terminal / shift+ctrl+alt-t
# xfce4-terminal -e "tmux a" / ctrl+alt-t
# xfce4-popup-whiskermenu / Super Lmeld
sudo cp /home/shared/dev/install-desktop/conf/soft/meld-dark.xml /usr/share/meld/styles/end
sudo apt update
sudo apt autoremove
sudo apt autoclean
sudo apt cleaninstall
dev
sudo apt install wxhexeditor tmux most libscca-utils galculatorIDA
sudo apt-get install libc6-i686:i386 libexpat1:i386 libffi7:i386 libfontconfig1:i386 libfreetype6:i386 libgcc1:i386 libglib2.0-0:i386 libice6:i386 libpcre3:i386 libpng16-16:i386 libsm6:i386 libstdc++6:i386 libuuid1:i386 libx11-6:i386 libxau6:i386 libxcb1:i386 libxdmcp6:i386 libxext6:i386 libxrender1:i386 zlib1g:i386 libx11-xcb1:i386 libdbus-1-3:i386 libxi6:i386 libsm6:i386 libcurl4:i386conf
sudo swapoff -av
sudo sh -c 'echo vm.swappiness=5 > /etc/sysctl.d/99-swappiness.conf'volatility
https://github.com/volatilityfoundation/volatility/wiki/Installation
pip
# pip for user installation
#pip=pip2
# pip for root installation
pip="sudo -H pip2"
$pip install -U pip setuptools
$pip install pycrypto distorm3 yara-python ujson openpyxl pytz ipythonlibforensic1394.so.2
sudo apt install -y cmake
cd /tmp
git clone https://github.com/FreddieWitherden/libforensic1394
cd libforensic1394
mkdir build && cd build
cmake -G"Unix Makefiles" ../
sudo make install
cd ../python
sudo python setup.py install
cd
sudo rm -fR /tmp/libforensic1394
sudo ln -sv /usr/local/lib/libforensic1394.so.2 /usr/lib/libforensic1394.so.2volatility 2.6
cd /opt
sudo [ -d volatility ] && sudo rm -fR volatility
sudo git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
sudo rm -fR .git
sudo python setup.py install
cd /usr/local/bin
sudo [ -e vol2 ] && sudo rm vol2
sudo ln -sv vol.py vol2
vol2 -h
# host
cp /home/shared/dev/install-desktop/conf/cuckoo/vol2 /vms/share/
#guest
file=/usr/share/bash-completion/completions/vol2
sudo mv /share/vol2 ${file}
opts=$(vol2 --info|sed -n '/^Plugins/,/^$/ p'|tail -n+3|cut -f1 -d' '|xargs)
sudo sed -i "/^ *opts=/ s|=.*|='${opts}'|" ${file}
grep opts= ${file}
exec bashbash completion
sudo cp -a /home/shared/dev/install-desktop/conf/cuckoo/vol2 /usr/share/bash-completion/completions/
opts=$(vol2 --info|sed -n '/^Plugins/,/^$/ p'|tail -n+3|cut -f1 -d' '|xargs)
sudo sed -i "s|^\( *opts=\).*$|\1'${opts}'|" /usr/share/bash-completion/completions/vol2
exec bash # reload completionstrick
df -h ; sudo find / -type d -name .git -exec rm -fR {} \; df -hhttps://pev.sourceforge.io/doc/manual/en_us/ch06.html
ofs2rva
ofs2rva <offset> FILE
Convert raw file offset to RVA
Example
ofs2rva 0x1b9b8 calc.exepedis
pedis OPTIONS FILE
PE sections and functions (by default, until found a RET or LEAVE instruction)
--att # set AT&T syntax
-e, --entrypoint # disassemble entrypoint
-f, --format <text|csv|xml|html> change output format (default: text)
-m, --mode <16|32|64> # disassembly mode (default: auto)
-i, <number> # number of instructions to be disassembled
-n, <number> # number of bytes to be disassembled
-o, --offset <offset> # disassemble at specified file offset
-r, --rva <rva> # disassemble at specified RVA
-s, --section <section_name> # disassemble entire section givenpehash
pehash OPTIONS FILE
Calculate hashes of PE pieces
-f, --format <text|csv|xml|html> # change output format (default: text)
-a, --all # hash file, sections and headers with md5, sha1, sha256, ssdeep and imphash
-c, --content # hash only the file content (default)
-h, --header <dos|coff|optional> # hash only the header with the specified name
-s, --section <section_name> # hash only the section with the specified name
--section-index <section_index> # hash only the section at the specified index (1..n)peres
peres OPTIONS FILE
Show information about resource section and extract it
-a, --all # Show all information, statistics and extract resources
-i, --info # Show resources information
-s, --statistics # Show resources statistics
-x, --extract # Extract resources
-v, --file-version # Show File Version from PE resource directorypesec
pesec [OPTIONS] FILE
Check for security features in PE files
-f, --format <text|csv|xml|html> # change output format (default: text)
-c, --certoutform <text|pem> # specifies the certificate output format (default: text)
-o, --certout <filename> # specifies the output filename to write certificates to (default: stdout)
pescan
pescan OPTIONS FILE
Search for suspicious things in PE files
-f, --format <text|html|xml|csv|json> # change output format (default: text)
-v, --verbose # show more info about items foundreadpe
readpe OPTIONS FILE
Show PE file headers
-A, --all # full output (default)
-H, --all-headers # print all PE headers
-S, --all-sections # print all PE sections headers
-f, --format <text|csv|xml|html> change output format (default: text)
-d, --dirs # show data directories
-h, --header <dos|coff|optional> show specific header
-i, --imports # show imported functions
-e, --exports # show exported functionsrva2ofs
rva2ofs <rva> FILE
Convert RVA to raw file offset
Example
rva2ofs 0x12db cards.dllInstall
sudo apt install binwalkbinwalk [OPTIONS] [FILE1] [FILE2] ...
tool for searching binary images for embedded files and executable code
Special
binwalk $file # Get signatures (same as -B)
binwalk --hexdump --red $file1 $file2 # show only different lines
binwalk --raw $str $file # search string $str in file. use "\x00" for hexa character ("\x37" for 7)
binwalk --entropy $str $file # get entropy
binwalk --signature $str $file # search string $str in file. use "\x00" for hexa character ("\x37" for 7)
binwalk --extract $file && tree _${file}.extracted/ # extract files and show files in treeUsefull
-W, --hexdump # Perform a hexdump / diff of a file or files
-i, --red # Only show lines containing bytes that are different among all files
-U, --blue # Only show lines containing bytes that are different among some files
-e, --extract # Automatically extract known file types
-E, --entropy # Calculate file entropyAll
Signature Scan Options:
-B, --signature # Scan target file(s) for common file signatures
-R, --raw=<str> # Scan target file(s) for the specified sequence of bytes
-A, --opcodes # Scan target file(s) for common executable opcode signatures
-m, --magic=<file> # Specify a custom magic file to use
-b, --dumb # Disable smart signature keywords
-I, --invalid # Show results marked as invalid
-x, --exclude=<str> # Exclude results that match <str>
-y, --include=<str> # Only show results that match <str>
Extraction Options:
-e, --extract # Automatically extract known file types
-D, --dd=<type:ext:cmd> # Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka # Recursively scan extracted files
-d, --depth=<int> # Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> # Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> # Limit the size of each extracted file
-n, --count=<int> # Limit the number of extracted files
-r, --rm # Delete carved files after extraction
-z, --carve # Carve data from files, but don't execute extraction utilities
-V, --subdirs # Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy # Calculate file entropy
-F, --fast # Use faster, but less detailed, entropy analysis
-J, --save # Save plot as a PNG
-Q, --nlegend # Omit the legend from the entropy plot graph
-N, --nplot # Do not generate an entropy plot graph
-H, --high=<float> # Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> # Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump # Perform a hexdump / diff of a file or files
-G, --green # Only show lines containing bytes that are the same among all files
-i, --red # Only show lines containing bytes that are different among all files
-U, --blue # Only show lines containing bytes that are different among some files
-u, --similar # Only display lines that are the same between all files
-w, --terse # Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate # Scan for raw deflate compression streams
-Z, --lzma # Scan for raw LZMA compression streams
-P, --partial # Perform a superficial, but faster, scan
-S, --stop # Stop after the first result
General Options:
-l, --length=<int> # Number of bytes to scan
-o, --offset=<int> # Start scan at this file offset
-O, --base=<int> # Add a base address to all printed offsets
-K, --block=<int> # Set file block size
-g, --swap=<int> # Reverse every n bytes before scanning
-f, --log=<file> # Log results to file
-c, --csv # Log results to file in CSV format
-t, --term # Format output to fit the terminal window
-q, --quiet # Suppress output to stdout
-v, --verbose # Enable verbose output
-h, --help # Show help output
-a, --finclude=<str> # Only scan files whose names match this regex
-p, --fexclude=<str> # Do not scan files whose names match this regex
-s, --status=<int> # Enable the status server on the specified portInstall
sudo apt install binwalkbalbuzard
balbuzard [options] <filename> [filename2 ...]
malware analysis tools to extract patterns of interest and crack obfuscation such as XOR
Special
balbuzard $file # resume all founds
balbuzard $file -v|grep ^---- -A2 # show all sectionsUsefull
-c CSV, --csv=CSV # export results to a CSV file
-r # find files recursively in subdirectories.All
-h, --help # show this help message and exit
-c CSV, --csv=CSV # export results to a CSV file
-v # verbose display, with hex view.
-r # find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME # if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)Install
pip2 install -U balbuzardbbcrack
bbcrack [options] <filename>
uses a new algorithm based on patterns of interest to bruteforce typical malware obfuscation such as XOR, ROL, ADD and various combinations, in order to guess which algorithms/keys have been used
All
-l LEVEL, --level=LEVEL # select transforms with level 1, 2 or 3 and below
-i INCLEVEL, --inclevel=INCLEVEL # select transforms only with level 1, 2 or 3 (incremental)
-k KEEP, --keep=KEEP number of transforms to keep after stage 1
-s SAVE, --save=SAVE number of transforms to save to files after stage 2
-t TRANSFORM, --transform=TRANSFORM # only check specific transforms (comma separated list, or "-t list" to display all available transforms)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
-p # profiling: measure time spent on each pattern.bbharvest
bbharvest [options] <filename>
extracts all patterns of interest found when applying typical malware obfuscation transforms such as XOR, ROL, ADD and various combinations, trying all possible keys. It is especially useful when several keys or several transforms are used in a single file
All
-l LEVEL, --level=LEVEL # select transforms level 1, 2 or 3
-i INCLEVEL, --inclevel=INCLEVEL # select transforms only with level 1, 2 or 3 (incremental)
-c CSV, --csv=CSV # export results to a CSV file
-t TRANSFORM, --transform=TRANSFORM # only check specific transforms (comma separated list, or "-t list" to display all available transforms)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
-p # profiling: measure time spent on each pattern.bbharvest
bbtrans [options] <filename>
can apply any of the transforms from bbcrack (XOR, ROL, ADD and various combinations) to a file
All
-t TRANSFORM, --transform=TRANSFORM # transform to be applied (or "-t list" to display all available transforms)
-p PARAMS, --params=PARAMS # parameters for transform (comma separated list)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)hexdump [-bcCdovx] [-e format_string] [-f format_file] [-n length] [-s offset] file ...
ASCII, decimal, hexadecimal, octal dump
Special
hexdump -v # do not use * to replace duplicate lines
hexdump -ve '"%02X"' # convert in uppercase hexadecimal
hexdump -ve '8/1 "%02X"' # convert in uppercase hexadecimal in classic format 8bytes
hexdump -e '"%08_ax""|"' -e '16/1 "%02x ""|"' -e '16/1 "%_p""|\n"' # 1 bytes
hexdump -e '"%08_ax""|"' -e '8/2 "%04x ""|"' -e '16/1 "%_p""|\n"' # 2 bytes
hexdump -e '"%08_ax""|"' -e '4/4 "%08x ""|"' -e '16/1 "%_p""|\n"' # 4 bytesUsefull
-C # Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters. Calling the command hd implies this option.
-n length # Interpret only length bytes of input.
-s offset # Skip offset bytes from the beginning of the input. By default, offset is interpreted as a decimal number.
-v # Cause hexdump to display all input data. Without the -v option, any number of groups of output lines, which would be identical to the immediately preceding group of output lines (except for the input offsets), are replaced with a line comprised of a single asterisk.All
-b # One-byte octal display. Display the input offset in hexadecimal, followed by sixteen space-separated, three column, zero-filled, bytes of input data, in octal, per line.
-c # One-byte character display. Display the input offset in hexadecimal, followed by sixteen space-separated, three column, space-filled, characters of input data per line.
-C # Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters. Calling the command hd implies this option.
-d # Two-byte decimal display. Display the input offset in hexadecimal, followed by eight space-separated, five column, zero-filled, two-byte units of input data, in unsigned decimal, per line.
-e format_string # Specify a format string to be used for displaying data.
-f format_file # Specify a file that contains one or more newline separated format strings. Empty lines and lines whose first non-blank character is a hash mark (#) are ignored.
-n length # Interpret only length bytes of input.
-o # Two-byte octal display. Display the input offset in hexadecimal, followed by eight space-separated, six column, zero-filled, two byte quantities of input data, in octal, per line.
-s offset # Skip offset bytes from the beginning of the input. By default, offset is interpreted as a decimal number. With a leading 0x or 0X, offset is interpreted as a hexadecimal number, otherwise, with a leading 0, offset is interpreted as an octal number. Appending the character b, k, or m to offset causes it to be interpreted as a multiple of 512, 1024, or 1048576, respectively.
-v # Cause hexdump to display all input data. Without the -v option, any number of groups of output lines, which would be identical to the immediately preceding group of output lines (except for the input offsets), are replaced with a line comprised of a single asterisk.
-x # Two-byte hexadecimal display. Display the input offset in hexadecimal, followed by eight, space separated, four column, zero-filled, two-byte quantities of input data, in hexadecimal, per line.Install
sudo apt install bsdmainutilsrabin2 [-AceghHiIsSMzlpRrLxvhqQTuUwV] [-a arch] [-b bits] [-B addr] [-C fmt:C:[D]] [-D lang sym|-] [-f subbin] [-k query] [-K algo] [-O binop] [-o str] [-m addr] [-@ addr] [-n str] [-X fmt file ...] file
Binary program info extractor
Special
rabin2 -H $file | grep -i timedate # compilation date
rabin2 -H $file | grep -i sizeofcode # size of code
rabin2 -i $file | grep -i " $dll " | wc -l # count imported functions in specific dll
rabin2 -i $file | awk '{print $5}' | grep -v '^\(lib\|\)$' | sort -u # show all imported libs (dll)
rabin2 -s $file | grep -i " $dll " | wc -l # count symbols functions in specific dll
rabin2 -H $file|grep -iA2 debug # debuger detection present
rabin2 -g Program|grep -i debug # details about debuger detection present
rabin2 -z $file | sed -n "/$str1/,/$str2/p" | sed 's/^.* ascii *//' > $fileout # extract data between 2 strings in fileUsefull
-H # Show header fields (see ih command in r2)
-g # Show all possible information
-I # Show binary info (iI in r2)
-i # Show imports (symbols imported from libraries) (ii)
-R # Show relocations
-s # Show exported symbols
-S # Show sections
-SS # Show segments
-t # Show file hashes
-T # Show Certificates
-U # Show Resources
-z # Show strings inside .data section (like gnu strings does)
-x # Extract all sub binaries from a fat binary (f.ex: fatmach0)
-X format file ... # Package a fat or zip containing all the files passed (fat, zip)
-l # List linked libraries to the binary
-e # Show entrypoints for disk and on-memoryAll
-@ addr # Show information (symbol, section, import) of the given address
-A # List sub-binaries and their associated arch-bits pairs
-a arch # Set arch (x86, arm, .. accepts underscore for bits x86_32)
-b bits # Set bits (32, 64, ...)
-B addr # Override baddr
-c # List classes
-cc # List classes in header format
-C [fmt:C[:D]] Create [elf,mach0,pe] # for arm and x86-32/64 tiny binaries where 'C' is an hexpair list of the code bytes and ':D' is an optional concatenation to describe the bytes for the data section.
-d # Show debug/dwarf information
-D lang symbolname # - Demangle symbol name (or - to read from stdin) for lang (cxx, swift, java, cxx, ..)
-e # Show entrypoints for disk and on-memory
-ee # Show constructor/destructors (extended entrypoints)
-f subbin # Select sub-binary architecture. Useful for fat-mach0 binaries
-F binfmt # Force to use that bin plugin (ignore header check)
-g # Show all possible information
-G addr # Load address . offset to header
-h # Show usage help message.
-H # Show header fields (see ih command in r2)
-I # Show binary info (iI in r2)
-i # Show imports (symbols imported from libraries) (ii)
-j # Output in json
-k query # Perform SDB query on loaded file
-K algo # Select a rahash2 checksum algorithm to be performed on sections listing (and maybe others in the future) i.e 'rabin2 -K md5 -S /bin/ls'
-l # List linked libraries to the binary
-L # List supported bin plugins
-M # Show address of 'main' symbol
-m addr # Show source line reference from a given address
-N minlen:maxlen # Force minimum and maximum number of chars per string (see -z and -zz). if (strlen>minlen && (!maxlen || strlen<=maxlen))
-n str # Show information (symbol, section, import) at string offset
-o str # Output file/folder for write operations (out by default)
-O binop # Perform binary operation on target binary (dump, resize, change sections, ...) see '-O help' for more information
-p # Disable VA. Show physical addresses
-P # Show debug/pdb information
-PP # Download pdb file for binary
-q # Be quiet, just show fewer data
-qq # Show less info (no offset/size for -z for ex.)
-Q # Show load address used by dlopen (non-aslr libs)
-r # Show output in radare format
-R # Show relocations
-s # Show exported symbols
-S # Show sections
-SS # Show segments
-t # Show file hashes
-T # Show Certificates
-u # Unfiltered (no rename duplicated symbols/sections)
-U # Show Resources
-v # Show version information
-V # Show binary version information
-w # Show try/catch blocks
-x # Extract all sub binaries from a fat binary (f.ex: fatmach0)
-X format file ... # Package a fat or zip containing all the files passed (fat, zip)
-z # Show strings inside .data section (like gnu strings does)
-Z # Guess size of binary program
-zz # Shows strings from raw bins
-zzz # Dump raw strings to stdout (for huge files)Install
sudo apt install radare2objdump <option(s)> <file(s)>
Display information from object <file(s)>
Usefull
objdump Program -x|sed -n '1,/.rdata section/p'
objdump Program -s|grep -A1 ^Contents
objdump Program -sj $section # section=".data"-a, --archive-headers # Display archive header information
-f, --file-headers # Display the contents of the overall file header
-h, --[section-]headers Display the contents of the section headers
-x, --all-headers # Display the contents of all headers
-s, --full-contents # Display the full contents of all sections requestedAll
At least one of the following switches must be given:
-a, --archive-headers # Display archive header information
-f, --file-headers # Display the contents of the overall file header
-p, --private-headers # Display object format specific file header contents
-P, --private=OPT,OPT... Display object format specific contents
-h, --[section-]headers Display the contents of the section headers
-x, --all-headers # Display the contents of all headers
-d, --disassemble # Display assembler contents of executable sections
-D, --disassemble-all # Display assembler contents of all sections
--disassemble=<sym> Display assembler contents from <sym>
-S, --source # Intermix source code with disassembly
--source-comment[=<txt>] Prefix lines of source code with <txt>
-s, --full-contents # Display the full contents of all sections requested
-g, --debugging # Display debug information in object file
-e, --debugging-tags # Display debug information using ctags style
-G, --stabs # Display (in raw form) any STABS info in the file
-W[lLiaprmfFsoRtUuTgAckK] or --dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames, =frames-interp,=str,=loc,=Ranges,=pubtypes, =gdb_index,=trace_info,=trace_abbrev,=trace_aranges, =addr,=cu_index,=links,=follow-links] # Display DWARF info in the file
--ctf=SECTION # Display CTF info from SECTION
-t, --syms # Display the contents of the symbol table(s)
-T, --dynamic-syms # Display the contents of the dynamic symbol table
-r, --reloc # Display the relocation entries in the file
-R, --dynamic-reloc # Display the dynamic relocation entries in the file
@<file> # Read options from <file>
-v, --version # Display this program's version number
-i, --info # List object formats and architectures supported
-H, --help # Display this information
The following switches are optional:
-b, --target=BFDNAME # Specify the target object format as BFDNAME
-m, --architecture=MACHINE # Specify the target architecture as MACHINE
-j, --section=NAME # Only display information for section NAME
-M, --disassembler-options=OPT Pass text OPT on to the disassembler
-EB --endian=big # Assume big endian format when disassembling
-EL --endian=little # Assume little endian format when disassembling
--file-start-context # Include context from start of file (with -S)
-I, --include=DIR # Add DIR to search list for source files
-l, --line-numbers # Include line numbers and filenames in output
-F, --file-offsets # Include file offsets when displaying information
-C, --demangle[=STYLE] # Decode mangled/processed symbol names. The STYLE, if specified, can be `auto', `gnu', `lucid', `arm', `hp', `edg', `gnu-v3', `java' or `gnat'
--recurse-limit # Enable a limit on recursion whilst demangling. [Default]
--no-recurse-limit # Disable a limit on recursion whilst demangling
-w, --wide # Format output for more than 80 columns
-z, --disassemble-zeroes # Do not skip blocks of zeroes when disassembling
--start-address=ADDR # Only process data whose address is >= ADDR
--stop-address=ADDR # Only process data whose address is < ADDR
--prefix-addresses # Print complete address alongside disassembly
--[no-]show-raw-insn # Display hex alongside symbolic disassembly
--insn-width=WIDTH # Display WIDTH bytes on a single line for -d
--adjust-vma=OFFSET # Add OFFSET to all displayed section addresses
--special-syms # Include special symbols in symbol dumps
--inlines # Print all inlines for source line (with -l)
--prefix=PREFIX # Add PREFIX to absolute paths for -S
--prefix-strip=LEVEL # Strip initial directory names for -S
--dwarf-depth=N # Do not display DIEs at depth N or greater
--dwarf-start=N # Display DIEs starting with N, at the same depth or deeper
--dwarf-check # Make additional dwarf internal consistency checks.
--ctf-parent=SECTION # Use SECTION as the CTF parent
--visualize-jumps # Visualize jumps by drawing ASCII art lines
--visualize-jumps=color # Use colors in the ASCII art
--visualize-jumps=extended-color # Use extended 8-bit color codes
--visualize-jumps=off # Disable jump visualizationInstall
sudo apt install binutils-commonclamscan [options] [file/directory/-]
Scan files and directories for viruses
Usefull
-i --infected # Only print infected files
-r --recursive[=yes/no(*)] # Scan subdirectories recursively
-f --file-list=FILE FILE # Scan files from FILE
All
-a --archive-verbose # Show filenames inside scanned archives
--stdout # Write to stdout instead of stderr. Does not affect 'debug' messages.
--no-summary # Disable summary at end of scanning
-i --infected # Only print infected files
--suppress-ok-results -o # Skip printing OK files
--bell # Sound bell on virus detection
--tempdir=DIRECTORY # Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] # Do not remove temporary files
--gen-json[=yes/no(*)] # Generate JSON description of scanned file(s). JSON will be printed and also dropped to the temp directory if --leave-temps is enabled.
-d --database=FILE/DIR FILE/DIR # Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] # Only load official signatures
-l --log=FILE FILE # Save scan report to FILE
-r --recursive[=yes/no(*)] # Scan subdirectories recursively
-z --allmatch[=yes/no(*)] # Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] # Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] # Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] # Follow file symlinks (0 = never, 1 = direct, 2 = always)
-f --file-list=FILE FILE # Scan files from FILE
--remove[=yes/no(*)] # Remove infected files. Be careful!
--move=DIRECTORY # Move infected files into DIRECTORY
--copy=DIRECTORY # Copy infected files into DIRECTORY
--exclude=REGEX # Don't scan file names matching REGEX
--exclude-dir=REGEX # Don't scan directories matching REGEX
--include=REGEX # Only scan file names matching REGEX
--include-dir=REGEX # Only scan directories matching REGEX
--bytecode[=yes(*)/no] # Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] # Load unsigned bytecode **Caution**: You should NEVER run bytecode signatures from untrusted sources. Doing so may result in arbitrary code execution.
--bytecode-timeout=N # Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] # Collect and print execution statistics
--detect-pua[=yes/no(*)] # Detect Possibly Unwanted Applications
--exclude-pua=CAT # Skip PUA sigs of category CAT
--include-pua=CAT # Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] # Detect structured data (SSN, Credit Card)
--structured-ssn-format=X # SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N # Min SSN count to generate a detect
--structured-cc-count=N # Min CC count to generate a detect
--structured-cc-mode=X # CC mode (0=credit debit and private label, 1=credit cards only
--scan-mail[=yes(*)/no] # Scan mail files
--phishing-sigs[=yes(*)/no] # Enable email signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] # Enable URL signature-based phishing detection
--heuristic-alerts[=yes(*)/no] # Heuristic alerts
--heuristic-scan-precedence[=yes/no(*)] # Stop scanning as soon as a heuristic match is found
--normalize[=yes(*)/no] # Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] # Scan PE files
--scan-elf[=yes(*)/no] # Scan ELF files
--scan-ole2[=yes(*)/no] # Scan OLE2 containers
--scan-pdf[=yes(*)/no] # Scan PDF files
--scan-swf[=yes(*)/no] # Scan SWF files
--scan-html[=yes(*)/no] # Scan HTML files
--scan-xmldocs[=yes(*)/no] # Scan xml-based document files
--scan-hwp3[=yes(*)/no] # Scan HWP3 files
--scan-archive[=yes(*)/no] # Scan archive files (supported by libclamav)
--alert-broken[=yes/no(*)] # Alert on broken executable files (PE & ELF)
--alert-broken-media[=yes/no(*)] # Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
--alert-encrypted[=yes/no(*)] # Alert on encrypted archives and documents
--alert-encrypted-archive[=yes/no(*)] # Alert on encrypted archives
--alert-encrypted-doc[=yes/no(*)] # Alert on encrypted documents
--alert-macros[=yes/no(*)] # Alert on OLE2 files containing VBA macros
--alert-exceeds-max[=yes/no(*)] # Alert on files that exceed max file size, max scan size, or max recursion limit
--alert-phishing-ssl[=yes/no(*)] # Alert on emails containing SSL mismatches in URLs
--alert-phishing-cloak[=yes/no(*)] # Alert on emails containing cloaked URLs
--alert-partition-intersection[=yes/no(*)] # Alert on raw DMG image files containing partition intersections
--nocerts # Disable authenticode certificate chain verification in PE files
--dumpcerts # Dump authenticode certificate chain in PE files
--max-scantime=#n # Scan time longer than this will be skipped and assumed clean (milliseconds)
--max-filesize=#n # Files larger than this will be skipped and assumed clean
--max-scansize=#n # The maximum amount of data to scan for each container file (**)
--max-files=#n # The maximum number of files to scan for each container file (**)
--max-recursion=#n # Maximum archive recursion level for container file (**)
--max-dir-recursion=#n # Maximum directory recursion level
--max-embeddedpe=#n # Maximum size file to check for embedded PE
--max-htmlnormalize=#n # Maximum size of HTML file to normalize
--max-htmlnotags=#n # Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n # Maximum size of script file to normalize
--max-ziptypercg=#n # Maximum size zip to type reanalyze
--max-partitions=#n # Maximum number of partitions in disk image to be scanned
--max-iconspe=#n # Maximum number of icons in PE file to be scanned
--max-rechwp3=#n # Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n # Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n # Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n # Maximum size file to perform PCRE subsig matching.
--disable-cache # Disable caching and cache checks for hash sums of scanned files.
-h --help # Show this help
--debug # Enable libclamav's debug messages
--quiet # Only output error messages
-v --verbose # Be verbose
-V --version # Print version numberInstall
sudo apt install clamavpescan OPTIONS FILE
Search for suspicious things in PE files
Usefull
-f, --format <text|html|xml|csv|json> # change output format (default: text)All
-f, --format <text|html|xml|csv|json> # change output format (default: text)
-v, --verbose # show more info about items found
-V, --version # show version and exit
--help # show this help and exitInstall
sudo apt install pevstrings [option(s)] [file(s)]
Display printable strings in [file(s)] (stdin by default)
Usefull
-s --output-separator=<string> String used to separate strings in output.All
-a - --all # Scan the entire file, not just the data section [default]
-d --data # Only scan the data sections in the file
-f --print-file-name # Print the name of the file before each string
-n --bytes=[number] # Locate & print any NUL-terminated sequence of at -<number> least [number] characters (default 4)
-t --radix={o,d,x} # Print the location of the string in base 8, 10 or 16
-w --include-all-whitespace Include all whitespace as valid string characters
-o # An alias for --radix=o
-T --target=<BFDNAME> # Specify the binary file format
-e --encoding={s,S,b,l,B,L} Select character size and endianness: s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
@<file> # Read options from <file>
-h --help # Display this information
-v -V --version # Print the program's version numberfile [OPTION...] [FILE...]
Determine type of FILEs.
Usefull
-z, --uncompress # try to look inside compressed files
-F, --separator STRING # use string as separator instead of `:'All
-m, --magic-file LIST # use LIST as a colon-separated list of magic number files
-z, --uncompress # try to look inside compressed files
-Z, --uncompress-noreport only print the contents of compressed files
-b, --brief # do not prepend filenames to output lines
-c, --checking-printout # print the parsed form of the magic file, use in conjunction with -m to debug a new magic file before installing it
-e, --exclude TEST # exclude TEST from the list of test to be performed for file. Valid tests are: apptype, ascii, cdf, compress, csv, elf, encoding, soft, tar, json, text, tokens
-f, --files-from FILE # read the filenames to be examined from FILE
-F, --separator STRING # use string as separator instead of `:'
-i, --mime # output MIME type strings (--mime-type and --mime-encoding)
--apple # output the Apple CREATOR/TYPE
--extension # output a slash-separated list of extensions
--mime-type # output the MIME type
--mime-encoding # output the MIME encoding
-k, --keep-going # don't stop at the first match
-l, --list # list magic strength
-L, --dereference # follow symlinks (default if POSIXLY_CORRECT is set)
-h, --no-dereference # don't follow symlinks (default if POSIXLY_CORRECT is not set) (default)
-n, --no-buffer # do not buffer output
-N, --no-pad # do not pad output
-0, --print0 # terminate filenames with ASCII NUL
-p, --preserve-date # preserve access times on files
-P, --parameter # set file engine parameter limits
indir 15 recursion limit for indirection
name 30 use limit for name/use magic
elf_notes 256 max ELF notes processed
elf_phnum 128 max ELF prog sections processed
elf_shnum 32768 max ELF sections processed
-r, --raw # don't translate unprintable chars to \ooo
-s, --special-files # treat special (block/char devices) files as ordinary ones
-S, --no-sandbox # disable system call sandboxing
-C, --compile # compile file specified by -m
-d, --debug # print debugging messages
--help # display this help and exit
-v, --version # output version information and exitinstall
see foralyse in https://code.ambau.fr
info
variables
file=/share/memory/dump
profile=Win7SP0x86
vol2 -f $file --profile $profile
# Options
--output dot/greptext/html/json/sqlite/text/xlsxvol2 --info # get all informations from volatility
vol2 --info|sed -n '/^Profiles/,/^$/ p' # available profiles
vol2 --info|sed -n '/^Address/,/^$/ p' # available address spaces
vol2 --info|sed -n '/^Scanner/,/^$/ p' # available scanner
vol2 --info|sed -n '/^Plugins/,/^$/ p' # available plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep -v '^mac_\|^linux_' # windows plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep '^linux_' # linux plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep '^mac_' # mac pluginsspecial
hash
vol2 hashdump -f ${dump} --profile=${profile} -y ${offset_system} -s ${offset_sam}plugins
cmd
clipboard # Extract the contents of the windows clipboard
cmdline # Display process command-line arguments
cmdscan # Extract command history by scanning for _COMMAND_HISTORY
consoles # Extract command history by scanning for _CONSOLE_INFORMATIONdevice
devicetree # Show device tree
mbrparser # Scans for and parses potential Master Boot Records (MBRs)dll
dlldump -D PATH # Dump DLLs from a process address space to PATH
-p PID # specify a process by his PID
-o OFFSET # specify a process by his Virtual OFFSET
dlllist # Print list of loaded dlls for each process
-p PID # specify a process by his PID
ldrmodules # Detect unlinked DLLsdump
cachedump # Dumps cached domain hashes from memory
dumpcerts # Dump RSA private and public SSL keys
dlldump -D PATH # Dump DLLs from a process address space to PATH
-p PID # specify a process by his PID
-o OFFSET # specify a process by his Virtual OFFSET
dumpfiles # Extract memory mapped and cached files
hashdump # Dumps passwords hashes (LM/NTLM) from memory
hivedump # Prints out a hive
lsadump # Dump (decrypted) LSA secrets from the registry
procdump # Dump a process to an executable file sample
-o OFFSET, --offset=OFFSET # EPROCESS offset (in hex) in the physical address space
-p PID, --pid=PID # Operate on these Process IDs (comma-separated)
-n NAME, --name=NAME # Operate on these process names (regex)
-D DUMP_DIR, --dump-dir=DUMP_DIR # Directory in which to dump executable filesexecutable
impscan # Scan for calls to imported functions
-p PID, --pid=PID # Process ID (leave off to scan kernel memory)
-o OFFSET, --offset=OFFSET # EPROCESS offset (in hex) in the physical address space
-b BASE, --base=BASE # Base address in process memory if --pid is supplied, otherwise an address in kernel space
-s SIZE, --size=SIZE # Size of memory to scan
joblinks # Print process job link information
malfind # Find hidden and injected code
privs # Display process privileges
shimcache # Parses the Application Compatibility Shim Cache registry key
verinfo # Prints out the version information from PE imagesfile
dumpfiles # Extract memory mapped and cached files
filescan # Pool scanner for file objects
mftparser # Scans for and parses potential Master Boot Records (MBRs)
notepad # List currently displayed notepad texthive
amcache # Print AmCache information
hivescan # Pool scanner for registry hives
hivedump # Prints out a hive
hivelist # Print list of registry hives
printkey # Print a registry key, and its subkeys and values
shimcache # Parses the Application Compatibility Shim Cache registry key
shutdowntime # Print ShutdownTime of machine from registry
userassist # Print userassist registry keys and informationhook
apihooks # Detect API hooks in process and kernel memory
driverirp # Driver IRP hook detection
eventhooks # Print details on windows event hooks
messagehooks # List desktop and thread window message hooksimage
imageinfo # get info from OS and profiles
kdbgscan # Search for and dump potential KDBG valuesmemory
bigpools # Dump the big page pools using BigPagePoolScanner
cachedump # Dumps cached domain hashes from memory
hpakextract # Extract physical memory from an HPAK file
hpakinfo # Info on an HPAK file
memdump # Dump the addressable memory for a process
memmap # Print the memory map
patcher # Patches memory based on page scans
raw2dmp # Converts a physical memory sample to a windbg crash dumpmodule
drivermodule # Associate driver objects to kernel modules
moddump # Dump a kernel driver to an executable file sample
modscan # Pool scanner for kernel modules
modules # Print list of loaded modules
timers # Print kernel timers and associated module DPCs
unloadedmodules # Print list of unloaded modulesnetwork
connections # Print list of open connections [Windows XP and 2003 Only]
connscan # Pool scanner for tcp connections
netscan # list of connections
sockets # Print list of open sockets
sockscan # Pool scanner for tcp socket objectspassword
dumpcerts # Dump RSA private and public SSL keys
hashdump # Dumps passwords hashes (LM/NTLM) from memory
truecryptmaster # Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase # TrueCrypt Cached Passphrase Finder
truecryptsummary # TrueCrypt Summaryprocess
envars # Display process environment variables
getsids # Print the SIDs owning each process
handles # Print list of open handles for each process
privs # Display process privileges
procdump # Dump a process to an executable file sample
pslist # Print all running processes by following the EPROCESS lists
-P # print for physical offset
psscan # Pool scanner for process objects
pstree # Print process list as a tree
psxview # Find hidden processes with various process listings
thrdscan # Pool scanner for thread objects
threads # Investigate _ETHREAD and _KTHREADsservice
getservicesids # Get the names of services in the Registry and return Calculated SID
servicediff # List Windows services (ala Plugx)
svcscan # Scan for Windows servicessystem
auditpol # Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bioskbd # Reads the keyboard buffer from Real Mode memory
callbacks # Print system-wide notification routines
crashinfo # Dump crash-dump information
driverirp # Driver IRP hook detection
driverscan # Pool scanner for driver objects
envars # Display process environment variables
evtlogs # Extract Windows Event Logs (XP/2003 only)
kpcrscan # Search for and dump potential KPCR values
machoinfo # Dump Mach-O file format information
mutantscan # Pool scanner for mutex objects
objtypescan # Scan for Windows object type objects
screenshot # Save a pseudo-screenshot based on GDI windows (require PIL)
shutdowntime # Print ShutdownTime of machine from registry
symlinkscan # Pool scanner for symlink objectstimeline
timeliner # Creates a timeline from various artifacts in memory
timers # Print kernel timers and associated module DPCsuser
atoms # Print session and window station atom tables
atomscan # Pool scanner for atom tables
clipboard # Extract the contents of the windows clipboard
deskscan # Poolscaner for tagDESKTOP (desktops)
gahti # Dump the USER handle type information
sessions # List details on _MM_SESSION_SPACE (user logon sessions)
userassist # Print userassist registry keys and information
userhandles # Dump the USER handle tablesvad
vaddump # Dumps out the vad sections to a file
vadinfo # Dump the VAD info
vadtree # Walk the VAD tree and display in tree format
vadwalk # Walk the VAD treevirtual
qemuinfo # Dump Qemu information
vboxinfo # Dump virtualbox information
vmwareinfo # Dump VMware VMSS/VMSN informationvolshell
Use addrspace() for Kernel/Virtual AS
Use addrspace().base for Physical AS
Use proc() to get the current process object
proc().get_process_address_space() for the current process AS
proc().get_load_modules() for the current process DLLs
addrspace() # Get the current kernel/virtual address space.
cc(offset=None, pid=None, name=None, physical=False) # Change current shell context.
db(address, length=128, space=None) # Print bytes as canonical hexdump.
dd(address, length=128, space=None) # Print dwords at address.
dis(address, length=128, space=None, mode=None) # Disassemble code at a given address.
dq(address, length=128, space=None) # Print qwords at address.
dt(objct, address=None, space=None, recursive=False, depth=0) # Describe an object or show type info.
find(needle, max=1, shift=0, skip=0, count=False, length=128)
getmods() # Generator for kernel modules (scripting).
getprocs() # Generator of process objects (scripting).
hh(cmd=None) # Get help on a command.
list_entry(head, objname, offset=-1, fieldname=None, forward=True, space=None) # Traverse a _LIST_ENTRY.
modules() # Print loaded modules in a table view.
proc() # Get the current process object.
ps() # Print active processes in a table view.
sc() # Show the current context.
For help on a specific command, type 'hh(<command>)'windows
windows # Print Desktop Windows (verbose details)
wintree # Print Z-Order Desktop Windows Tree
wndscan # Pool scanner for window stationsothers
editbox # Displays information about Edit controls. (Listbox experimental.)
gditimers # Print installed GDI timers and callbacks
gdt # Display Global Descriptor Table
idt # Display Interrupt Descriptor Table
hibinfo # Dump hibernation file information
imagecopy --profile $profile $file -O $file-converted
iehistory # Reconstruct Internet Explorer cache / history
poolpeek # Configurable pool scanner plugin
shellbags # Prints ShellBags info
strings # Match physical offsets to virtual addresses (may take a while, VERY verbo
yarascan # Scan process or kernel memory with Yara signaturesOperators
See wireshark
Usefull
select
tshark -r ${dump} -e ip.src # get all source ip addresses
tshark -r ${dump} -e ip.proto -Tfields
tshark -r ${file} -e http.user_agent -Tfieldsfilter
tshark -r ${dump} -e ip.src # get all source ip addresses
tshark -r ${dump} -Y http -w filtered.pcapng # filter all http streams to file
tshark -r ${dump} -Y "not ip.addr == 93.184.221.240" -w filtered.pcapng # filter by IP address
tshark -r ${dump} -Y "frame.time_epoch >= 1631211000" -w filtered.pcapng # filter by frame time epochhelp
tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ] [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
qtshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
Dump and analyze network traffic
Capture interface
-i <interface>, --interface <interface> # name or idx of interface (def: first non-loopback)
-f <capture filter> # packet filter in libpcap filter syntax
-s <snaplen>, --snapshot-length <snaplen> # packet snapshot length (def: appropriate maximum)
-p, --no-promiscuous-mode # don't capture in promiscuous mode
-I, --monitor-mode # capture in monitor mode, if available
-B <buffer size>, --buffer-size <buffer size> # size of kernel buffer (def: 2MB)
-y <link type>, --linktype <link type> # link layer type (def: first appropriate)
--time-stamp-type <type> # timestamp method for interface
-D, --list-interfaces # print list of interfaces and exit
-L, --list-data-link-types # print list of link-layer types of iface and exit
--list-time-stamp-types # print list of timestamp types for iface and exit Capture stop conditions
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ..., --autostop <autostop cond.> ...
duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packets```Capture output
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is an exact multiple of NUM secsInput file
-r <infile>, --read-file <infile>Processing
-2 # perform a two-pass analysis
-M <packet count> # perform session auto reset
-R <read filter>, --read-filter <read filter> # packet Read filter in Wireshark display filter syntax (requires -2)
-Y <display filter>, --display-filter <display filter> # packet displaY filter in Wireshark display filter syntax
-n # disable all name resolutions (def: all enabled)
-N <name resolve flags> # enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ... # "Decode As", see the man page for details Example: tcp.port==8888,http
-H <hosts file> # read a list of entries from a hosts file, which will then be written to a capture file. (Implies -W n)
--enable-protocol <proto_name> # enable dissection of proto_name
--disable-protocol <proto_name> # disable dissection of proto_name
--enable-heuristic <short_name> # enable dissection of heuristic protocol
--disable-heuristic <short_name> # disable dissection of heuristic protocolOutput
-w <outfile|-> # write packets to a pcapng-format file named "outfile" (or '-' for stdout)
--capture-comment <comment> # set the capture file comment, if supported
-C <config profile> # start with specified configuration profile
-F <output file type> # set the output file type, default is pcapng an empty "-F" option will list the file types
-V # add output of packet tree # (Packet Details)
-O <protocols> # Only show packet details of these protocols, comma separated
-P, --print # print packet summary even when writing to a file
-S <separator> # the line separator to print between packets
-x # add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? # format of text output (def: text)
-j <protocolfilter> # protocols layers filter if -T ek|pdml|json selected (e.g. "ip ip.flags text", filter does not expand child nodes, unless child is specified also in the filter)
-J <protocolfilter> # top level protocol filter if -T ek|pdml|json selected (e.g. "http tcp", filter which expands all child nodes)
-e <field> # field to print if -Tfields selected (e.g. tcp.port, _ws.col.Info) this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
bom=y|n # print a UTF-8 BOM
header=y|n # switch headers on and off
separator=/t|/s|<char> # select tab, space, printable character as separator
occurrence=f|l|a # print first, last or all occurrences of each field
aggregator=,|/s|<char> # select comma, space, printable character as aggregator
quote=d|s|n # select double, single, no quotes for values
-t a|ad|adoy|d|dd|e|r|u|ud|udoy # output format of time stamps (def: r: rel. to first)
-u s|hms # output format of seconds (def: s: seconds)
-l # flush standard output after each packet
-q # be more quiet on stdout (e.g. when using statistics)
-Q # only log true errors to stderr (quieter than -q)
-g # enable group read access on the output file(s)
-W n # Save extra information in the file, if supported. n = write network address resolution information
-X <key>:<value> # eXtension options, see the man page for details
-U tap_name # PDUs export mode, see the man page for details
-z <statistics> # various statistics, see the man page for details
--export-objects <protocol>,<destdir> # save exported objects for a protocol to a directory named "destdir"
--color # color output text similarly to the Wireshark GUI, requires a terminal with 24-bit color support Also supplies color attributes to pdml and psml formats (Note that attributes are nonstandard)
--no-duplicate-keys # If -T json is specified, merge duplicate keys in an object into a single key with as value a json array containing all values
--elastic-mapping-filter <protocols> # If -G elastic-mapping is specified, put only the specified protocols within the mapping fileMiscellaneous
-h, --help # display this help and exit
-v, --version # display version info and exit
-o <name>:<value> ... # override preference setting
-K <keytab> # keytab file to use for kerberos decryption
-G [report] # dump one of several available reports and exit default report="fields" use "-G help" for more helpOperators
https://www.wireshark.org/docs/man-pages/wireshark-filter.html
Logical expressions
and, && # Logical AND
or, || # Logical OR
not, ! # Logical NOTComparaison
eq, == # Equal
ne, != # Not Equal
gt, > # Greater Than
lt, < # Less Than
ge, >= # Greater than or Equal to
le, <= # Less than or Equal toSearch
contains # Does the protocol, field or slice contain a value (case-sensitive)
matches, ~ # Does the protocol or text string match the given case-insensitive Perl-compatible regular expression (case-insensitive)In
tcp.port in {80, 443, 8080} # <=> tcp.port == 80 or tcp.port == 443 or tcp.port == 8080
http.request.method in {"HEAD", "GET"}
# ranges
tcp.port in {443, 4430..4434}
ip.addr in {10.0.0.5 .. 10.0.0.9, 192.168.1.1..192.168.1.9}
frame.time_delta in {10 .. 10.5}Functions
upper(string-field) # converts a string field to uppercase
lower(string-field) # converts a string field to lowercase
len(field) # returns the byte length of a string or bytes field
count(field) # returns the number of field occurrences in a frame
string(field) # converts a non-string field to stringEncoding
frame.len > 10
frame.len > 012
frame.len > 0xa
frame.len > '\n'
frame.len > '\x0a'
frame.len > '\012'Slice
[i:j] # i = start_offset, j = length
[i-j] # i = start_offset, j = end_offset, inclusive.
[i] # i = start_offset, length = 1
[:j] # start_offset = 0, length = j
[i:] # start_offset = i, end_offset = end_of_field
# examples
eth.src[0:3] == 00:00:83
http.content_type[0:4] == "text"
token[0:5] ne 0.0.0.1.1
llc[0] eq aa
frame[100-199] contains "wireshark"Protocol
sip # Session Initiation Protocol
rtp # Real-time Transport Protocol
http.request # only requests
http.response == # only response
http.response.code == # only response code
tcp.port == # both source and destination port
tcp.srcport == # source port
tcp.dstport == # destination port
tcp.analysis.flags # completye analysis about flags
tcp.contains # search text in any fields
tcp.flags.syn == # tcp syn flag
tcp.flags.reset == # tcp reset flag
udp.contains # search text in any fields
ip.addr == # both source and destination addresses
ip.src == # source addresses
ip.dst == # destination addressesCapture Filter
install
https://computingforgeeks.com/install-kvm-qemu-virt-manager-arch-manjar/
sudo pacman -S qemu virt-manager virt-viewer libguestfs # dnsmasq vde2 bridge-utils openbsd-netcat
# see virt-sandbox
sudo systemctl enable libvirtd.service
sudo systemctl start libvirtd.service
systemctl status libvirtd.serviceconf
file=/etc/libvirt/libvirtd.conf
sudo cp -a $file $file$(date +%s)
sudo sed -i 's|^#\?\(unix_sock_group =\).*$|\1 "libvirt"|' $file
sudo sed -i 's|^#\?\(unix_sock_rw_perms =\).*$|\1 "0770"|' $file
sudo usermod -a -G libvirt $USER
sudo systemctl restart libvirtd.service
mod=$(lsmod|awk '/^kvm_/ {print $1}')
sudo modprobe -r $mod
sudo modprobe $mod nested=1
echo "options ${mod/_/-} nested=1" | sudo tee /etc/modprobe.d/${mod/_/-}.conf
systool -m ${mod} -v | grep nestedshare
host
hostpath=/vms/share
sudo mkdir $hostpath
#sudo usermod -G libvirtd -a $USER
sudo usermod -G libvirt-qemu -a $USER
hostpath=/vms/share
#sudo chown -R libvirt-qemu:libvirt-qemu $hostpath
sudo setfacl -d -Rm g:libvirt-qemu:rwx $hostpathvirt-manager
hostshare
<filesystem type="mount" accessmode="mapped" fmode="0660" dmode="0770">
<source dir="/vms/share"/>
<target dir="/hostshare"/>
<address type="pci" domain="0x0000" bus="0x07" slot="0x00" function="0x0"/>
</filesystem>guest
guestpath=/share
#sudo chmod -R 777 $guestpath
sudo chown -R $USER:$USER $guestpathmount
sudo mount -t 9p -o trans=virtio,rw,version=9p2000.L /hostshare $guestpath
sudo sh -c "echo '
# qemu share
/hostshare /share 9p trans=virtio,version=9p2000.L,rw,noauto 0 0' >> /etc/fstab"disk
shrink
# linux
sudo dd if=/dev/zero of=/zero bs=4M
sudo rm /zero
# windows
sdelete -z C
qemu-img convert -O qcow2 $file $file2reduce
qemu-img info $file
qemu-img resize -f qcow2 --shrink $file -10Gexpand
qemu-img info $file
qemu-img resize $file +2Gimport / export
virsh --connect qemu:///system dumpxml $guest > $guest.xml
virsh --connect qemu:///system define $guest.xmlova
vm=tsurugi_linux_2022.1_vmdk
mkdir tmp
tar xf ${vm}.ova -C tmp/
qemu-img convert -f vmdk tmp/${vm}.vmdk tmp/${vm}.qcow2
qemu-img convert -O qcow2 tmp/${vm}-disk001.qcow2 ${vm}.qcow2Install
https://forum.manjaro.org/t/how-to-get-cisco-packet-tracer-on-manjaro/25506/3
wget https://aur.archlinux.org/cgit/aur.git/snapshot/packettracer.tar.gz
tar xzf packettracer.tar.gz
cd packettracer
# get CiscoPacketTracer_810_Ubuntu_64bit.deb from cisco
makepkg
sudo pacman -U packettracer-8.1.0-1-x86_64.pkg.tar.zstCommands
Global
? # show possible commands / options
enable # get in admistrative areaHub
hostname $hostname # modify device nameSwitch
clear mac-address-table dynamic
copy running-config startup-config # save actual configuration to memory for next startup
hostname $hostname # modify device name
show interfaces trunk
show ip interface
show mac-address-table
show startup-config # show if startup configuration have been recorded
show vlan
configure terminal
interface $inter $p/$p
ip proxy-arp # set proxy-arp for $inter $p/$p
no ip proxy-arp # unset proxy-arp for $inter $p/$p
vlan switchport access vlan $v # set port $p/$p to vlan $v (create vlan if not exists)
vlan $v
name $name # set vlan name for $v
no vlan $v # remove vlan $vRouter
hostname $hostname # modify device name
configure terminal # enter in configuration terminal mode
ip route $network_address $mask $next_hop # add a route to routerend devices
hostname $hostname # modify device nameCOLOR
base
# normal
m=0; for i in {16..128}; do echo -en "\e[${m};${i}m${i}\e[0m" ; done; echo
# bold
m=1; for i in {16..128}; do echo -en "\e[${m};${i}m${i}\e[0m" ; done; echo
# all
for j in {0..5}; do echo "- ${j}"; for i in {16..256}; do echo -en "\e[${j};${i}m${i}\e[0m" ; done; echo; done; echo256
for i in {16..255}; do echo -en "$i \e[38;5;${i}m#\e[0m" ; done; echoSETTINGS
main.cf
mydomain # the base of domain FQDN
myhostname # the full domain FQDN which serve mails
myorigin # the domain added to senderRESTRICTIONS
http://www.postfix.org/SMTPD_ACCESS_README.html
| Restriction list name | Version | Status | Effect of REJECT or DEFER result |
|---|---|---|---|
| smtpd_client_restrictions | All | Optional | Reject all client commands |
| smtpd_helo_restrictions | All | Optional | Reject HELO/EHLO information |
| smtpd_sender_restrictions | All | Optional | Reject MAIL FROM information |
| smtpd_relay_restrictions | ≥ 2.10 | Required if smtpd_recipient_restrictions does not enforce relay policy | Reject RCPT TO information |
| smtpd_data_restrictions | ≥ 2.0 | Optional | Reject DATA command |
| smtpd_end_of_data_restrictions | ≥ 2.2 | Optional | Reject END-OF-DATA command |
| smtpd_etrn_restrictions | All | Optional | Reject ETRN command |
https://wiki.centos.org/HowTos/postfix_restrictions
telnet 192.168.0.2 25 # Comments
Trying 192.168.0.2...
Connected to 192.168.0.2 (192.168.0.2).
Escape character is '^]'.
220 mail.example.com ESMTP Postfix # <-smtp_client_restrictions
HELO mail.example.com # <-smtp_helo_restrictions
250 mail.example.com #
MAIL FROM:<ned@example.com> # <-smtp_sender_restrictions
250 2.1.0 Ok #
RCPT TO:<ned@example.com> # <-smtp_recipient_restrictions
250 2.1.5 Ok #
DATA # <-smtp_data_restrictions
354 End data with <CR><LF>.<CR><LF> #
To:<ned@example.com> # <-header_checks
From:<ned@example.com> #
Subject:SMTP Test #
This is a test message # <-body_checks
. #
250 2.0.0 Ok: queued as 301AE20034
QUIT
221 2.0.0 Bye
Connection closed by foreign host. ReST
https://rest-sphinx-memo.readthedocs.io/en/latest/
Syntax
code
module,class,method
:var <TYPE> <NOM>: <Description de la variabl>
:var <NOM>: <Description de la variabl>
:param <TYPE> <NOM>: <Description du paramètre>.
:param <NOM>: <Description d'un autre paramètre. Ici on ne précise pas le type, c'est optionnel>.
:returns: <Description de ce qui est retourné (si la fonction retourne quelque chose)>.
:rtype: <Type de ce qui est retourné>
:raises <Exception>: <Description de l'exception>.
:myindex: (int): deepreference
`link vers ce siteb <https://code.ambau.ovh/>`_
:class:`mymodule.MyClass` About my class.
:meth:`mymodule.MyClass.myfunction` And my cool function
format
*italique*
**gras**
`code inline``directives
https://www.sphinx-doc.org/en/master/usage/restructuredtext/basics.html
.. NOTE:: Ceci est une note.
.. WARNING:: Ceci est un avertissement !
.. IMPORTANT:: Ceci est important
.. TODO:: Liste de choses à faire
.. IMAGE:: files/graph1.png # from source path & html pathtitle
Titre principal
===============
Titre de niveau 2
-----------------
Titre de niveau 3
~~~~~~~~~~~~~~~~~
Un autre titre de niveau 2
--------------------------list
* Ceci est une liste
* un autre élément
* Une sous-liste
* notez bien le saut de ligne avec la liste principale,
ça ne marchera pas si vous l'oubliez !
* un dernier élément
1. Un
2. Deux
3. Troishttps://rest-sphinx-memo.readthedocs.io/en/latest/ReST.html
#. Un
#. Deux
#. Troistable
+-----------+-----------+-----------+
| Heading 1 | Heading 2 | Heading 3 |
+===========+===========+===========+
| Hello | World | |
+-----------+-----------+-----------+
| foo | |
+-----------+ bar |
| baz | |
+-----------+-----------------------+rst files
index.rst
TITLE 1
=======
.. toctree::
:maxdepth: 2
:caption: Contents:
./AMatrix.rstname.rst
include
include:: ../README.rstmodule
.. module:: parrot
:platform: Unix, Windows
:synopsis: Analyze and reanimate dead parrots.
.. moduleauthor:: Eric Cleese <eric@python.invalid>
.. moduleauthor:: John Idle <john@python.invalid>auto
.. automodule:: package.module # or just .. automodule:: module
.. autoclass:: classname
.. autofunction:: functionname
.. automethod:: myproject.foomodule.Foo.__contains__options
:show-inheritance:
:members:
:private-members:
:undoc-members:
:special-members:
:exclude-members: __doc__examples
.. automodule:: modulename
:members:
:undoc-members:
:exclude-members: __dict__,__weakref__Installation
# manjaro
yay -S python-sphinx python-sphinx_rtd_themeUse
https://deusyss.developpez.com/tutoriels/Python/SphinxDoc/
https://blog.flozz.fr/2020/09/07/introduction-a-sphinx-un-outil-de-documentation-puissant/
https://romanvm.pythonanywhere.com/post/autodocumenting-your-python-code-sphinx-part-i-5/
https://samnicholls.net/2016/06/15/how-to-sphinx-readthedocs/
sphinx-quickstart
Go to your project path
cd $path2myproject
mkdir docs && cd docs
sphinx-quickstart
export PYTHONPATH=$path2myproject
make htmlsphinx-apidoc
sphinx-apidoc [OPTIONS] -o <OUTPUT_PATH> <MODULE_PATH> [EXCLUDE_PATTERN …]Configuration
cd $path2myproject
file="source/conf.py"
sed -i "s|.*\(import os\)$|\1|" "${file}"
sed -i "s|.*\(import sys\)$|\1|" "${file}"
sed -i "s|.*sys.path.insert.*|sys.path.insert(0, os.path.abspath('../../'))|" "${file}"
sed -i "s|^\(extensions = [.*\)$|\1\n\t'sphinx.ext.autodoc',|" "${file}"
sed -i "s|^\(extensions = [.*\)$|\1\n\t'sphinx_rtd_theme',|" "${file}"
sed -i "s|^\(html_theme = .*\)$|\1\nhtml_theme = 'sphinx_rtd_theme'|" "${file}"
make htmlconf.py
path
import os
import sys
# sys.path.insert(0, os.path.abspath('.'))
sys.path.insert(0, os.path.abspath('../../'))extensions
extensions = [
'sphinx.ext.autodoc',
'sphinx_rtd_theme',
'sphinx.ext.todo',
'sphinx.ext.autosummary',
'sphinx_autopackagesummary',
]
[extensions]
todo_include_todos=True
#autosummary_generate = True
autodoc_member_order = 'bysource' # alphabetical (alphabetical), groupwise(member type), bysource (source order)Installation
yay -S maxima # xmaxima
yay -S ttf-mathtype wxmaxima # wxmaximaDOT
BASH
echo "digraph G {Hello->World}" | dot -Tpng >hello.pngGRAPHVIZ
https://fr.wikipedia.org/wiki/Prolog
http://gecif.net/articles/linux/prolog.html#exemple1
https://www.tutorialspoint.com/prolog/index.htm
https://www.swi-prolog.org/pldoc/man?section=termrw
Présentation
Terms
Atomes
Les textes constants constituent des atomes. Un atome est ordinairement constitué d'une chaîne de lettres, nombres et traits bas (_), commençant par une lettre minuscule. Pour introduire un atome non alphanumérique, on l'entoure d'apostrophes : ainsi '+' est un atome, + un opérateur).
Nombres
Les implémentations courantes de Prolog ne distinguent pas les nombres entiers des flottants.
Chaînes de caractères
Les chaînes de caractères sont en général écrites comme une séquence de caractères entourés par des apostrophes. Elles sont souvent représentées en interne par une liste de codes ASCII.
Variables
Les variables sont indiquées en utilisant un ensemble de lettres, nombres et caractères de soulignement et commençant avec une lettre majuscule.
Termes composés
Prolog ne peut représenter des données complexes que par termes composés. Un terme composé consiste en une tête (aussi appelée foncteur), qui doit être un atome, et des paramètres sans restriction de type. Le nombre de paramètres, nommé arité du terme, est en revanche significatif. Un terme composé est identifié par sa tête et son arité, et habituellement écrit comme foncteur/arité.
Listes
Une liste n’est pas un type de données isolé, mais est définie par une construction récursive (utilisant le foncteur . d'arité 2, c'est donc au niveau de la représentation interne un terme composé):
l'atome [] est une liste vide ;
si T est une liste et H est un élément, alors le terme '.'(H, T) est une liste.
Prédicats
La programmation en Prolog est très différente de la programmation dans un langage impératif. En Prolog, on alimente une base de connaissances de faits et de règles ; il est alors possible de faire des requêtes à la base de connaissances.
L’unité de base de Prolog est le prédicat, qui est défini comme étant vrai. Un prédicat consiste en une tête et un nombre d’arguments. exemple :
chat(tom).Prédéfinis
Quelques prédicats sont bâtis dans le langage et permettent à un programme Prolog des activités de routine (comme de l'évaluation numérique, les entrée/sortie, les fonctionnalités de l'interface graphique et généralement communiquer avec le système de l’ordinateur). Par exemple, le prédicat write peut être utilisé pour l’affichage à l’écran.
% print Bonjour
write('Bonjour').Règles
Le second type d’instructions en Prolog est la règle. Un exemple de règle est :
lumière(on) :- interrupteur(on).Évaluation
Quand l’interpréteur reçoit une requête, il recherche les règles (faits inclus) dont la partie gauche peut être unifiée avec la requête, et effectue cette unification avec la première règle trouvée. Par exemple ayant ce code Prolog :
frère_ou_sœur(X,Y) :- parent(Z,X), parent(Z,Y), X \= Y.
parent(X,Y) :- père(X,Y).
parent(X,Y) :- mère(X,Y).
mère(trude, sally).
père(tom, sally).
père(tom, erica).
père(mike, tom).On peut alors questionner:
?- frère_ou_sœur(F,S).
F = sally,
S = erica ;
F = erica,
S = sally ;
false.
?- frère_ou_sœur(sally, erica).
oui.Négation par l'échec
La négation logique pure n'existe pas en Prolog, on se repose sur la négation par l'échec, qui se note différemment suivant les implémentations de Prolog
Exécution
Prolog est un langage logique, aussi en théorie, on n'a pas à se préoccuper de la façon dont il s’exécute. Cependant il est parfois prudent de prendre en compte comment l’algorithme d’inférence agit, pour éviter qu’un programme Prolog ne dure trop longtemps.
% compter le nombre d’éléments d’une liste.
elems([],0).
elems([H|T], X) :- elems(T, Y), X is Y + 1.pour miser X, ou j'ai cet argent d'emblée, ou sinon j'ai le crédit nécessaire.
miser(X) :- avoirargent(X), ! ; avoircrédit(X).Syntax
% # comments
! # Opérateur d’arrêt vert. Le ! dit à l’interpréteur de ne plus chercher d’alternative
_ # récupère un résultat sans affectation, un atome qui commence par _ est équivalentOperators
Comparison Operators
X > Y % X is greater than Y
X < Y % X is less than Y
X >= Y % X is greater than or equal to Y
X =< Y % X is less than or equal to Y
X =:= Y X == Y % the X and Y values are equal
X =\= Y X \= Y % the X and Y values are not equalArithmetic Operators
+ % Addition
- % Subtraction
* % Multiplication
/ % Division
** % Power
// % Integer Division
mod % ModulusUsage
Base
consult(program). % load program named 'program.pl'
listing. % Lists all predicates defined in the calling module
listing(predicate). % List matching clauses
trace. % start trace
notrace.
nodebug.
trace(predicate). % traces program
trace(predicate/2, +fail). % Trace failures of foo/2 in any module
trace(predicate, -all). % Stop tracing predicateList
Print elements
print_list([X|L]) :- writeln(X), print_list(L). % print each element in a new lineExamples
statement
test(A) :-
( A =:= 2 ->
write('A is 2')
; A =:= 3 ->
write('A is 3')
; write('HAhahahahaah')
).start_w
start_w(X,[X|L]).dce
dce([X,X|_]).
dce([X|S]):- dce(S).belong_to
belong_to(X,[X|_]):- !.
belong_to(X,[_|L]):- belong_to(X,L).
belong_to(X,[H|L]):- X=H, !; belong_to(X,L).ended_w
ended_w(X,[X]).
ended_w(X,[_|L]):- ended_w(X,L).
ended_w(X,[_|L]):- [X]=L, !; ended_w(X,L).remove0
remove0(X,[X|L],L).remove1
remove1(E,[E|L],L):- !. % set L2 = L when first element of list are E
remove1(E,[X|L],[X|L2]):- remove1(E,L,L2). % resolve & add X to L2 while unstacking
remove1(E,[E|L],L):- write('&'), writeln(L), !. % set L2 = L when first element of list are E
remove1(E,[X|L],[X|L2]):- write(L), write('-'), writeln(L2), remove1(E,L,L2), write('>'), writeln(L2).
remove1(E,[E|L],[5|L]):- write('&'), writeln(L), !. % set L2 = L when first element of list are E
remove1(E,[_|L],[1|L2]):- write(L), write('-'), writeln(L2), remove1(E,L,L2), write('>'), writeln(L2).min in list
min_get([R],R):- !.
min_get([X,Y|L],R):-
X < Y -> min_get([X|L],R); min_get([Y|L],R).
min_get_t([],R,R):- !.
min_get_t([H|L],T,R):-
H < T -> min_get_t(L,H,R); min_get_t(L,T,R).
min_get_t([H|L],R):- min_get_t(L,H,R).
plus_petit([X],X).
plus_petit([X,Y|L],R):- X =< Y, plus_petit([X|L],R).
plus_petit([X,Y|L],R):- X > Y, plus_petit([Y|L],R).
?- numlist(0,1000000,L), time(min_get(L, 1)).
% 2,000,001 inferences, 0.775 CPU in 0.777 seconds (100% CPU, 2579609 Lips)
?- numlist(0,1000000,L), time(min_get_t(L, 1)).
% 3,000,002 inferences, 0.196 CPU in 0.197 seconds (100% CPU, 15268446 Lips)
?- numlist(0,1000000,L), time(plus_petit(L, 1)).
% 3,000,001 inferences, 5.512 CPU in 5.521 seconds (100% CPU, 544250 Lips)factoriel
facto(0,1).
facto(1,1):- !.
facto(N,R):- N>1, N1 is N-1, facto(N1,R1), R is R1*N.
facto_t(1,R,R):- !.
facto_t(N,T,R):- N>1, N1 is N-1, R1 is T*N, facto_t(N1,R1,R).
facto_t(0,1).
facto_t(N,R):- facto_t(N,1,R).fibonacci
get the result
fibo(1,1,1):- !.
fibo(N,R,S):-
N1 is N-1,
fibo(N1,R1,S1),
R is R1+S1,
S is R1.
fibo(N,R):-
N<2 -> R = 1;
fibo(N,R,_).
fibo_t(1,R,R,_):- !. % fibo_t(1,R,X,_):- R = X, !; !. / minus N>1
fibo_t(N,RF,R,S):-
N>1,
N1 is N-1,
R1 is R+S,
fibo_t(N1,RF,R1,R).
fibo_t(N,R):-
N<2 -> R = 1;
fibo_t(N,R,1,1).
fibo(X,1):- X<2. % simple but fat version
fibo(N,R):- N1 is N-1, N2 is N-2, fibo(N1, R1), fibo(N2, R2), R is R1+R2.
% 299,998 inferences, 3.693 CPU in 3.700 seconds (100% CPU, 81244 Lips)
?- time(fibo_t(100000, _)).
% 200,000 inferences, 0.521 CPU in 0.525 seconds (99% CPU, 383935 Lips)get values in list
fibo_l(1,1,1,[1]):- !.
fibo_l(N,S,R,L):-
N1 is N-1,
fibo_l(N1,S1,R1,L1),
R is R1+S1,
S is R1,
L = [R|L1].
fibo_l(N,L):- fibo_l(N,_,_,L).
fibo_lt(1,L,L,_,_):- !.
fibo_lt(N,L,LT,R,S):-
N>1,
N1 is N-1,
R1 is R+S,
Lt = [R1|LT],
fibo_lt(N1,L,Lt,R1,R).
fibo_lt(N,L):- fibo_lt(N,L,[1],1,1).
?- time(fibo_l(100000, _)).
% 299,998 inferences, 3.876 CPU in 3.883 seconds (100% CPU, 77390 Lips)
?- time(fibo_lt(100000, _)).
% 299,998 inferences, 0.781 CPU in 0.783 seconds (100% CPU, 384010 Lips)list is sorted
sort_list([],[]).
sort_list(L,R):- min_is(L,M), remove1(M, L, L2), sort_list(L2,R1), R = [M|R1].
is_sorted(L,R):- sort_list(L,LS), R == LS.USB
RTL8821CU
https://github.com/brektrou/rtl8821CU
RTL88x2BU / RTL8822BU
manjaro
https://github.com/cilynx/rtl88x2BU_WiFi_linux_v5.3.1_27678.20180430_COEX20180427-5959
ubuntu
INSTALL
MANJARO
yay -S autofs sshfsCONFIGURATION
SSHFS
SSH KEY
Do not forget to put root key in remote server !!
autofs use root rights to connect
MANJARO
/etc/autofs/auto.master.d/cluster.autofs
echo "/home/cluster /etc/autofs/auto.sshfs uid=1000,gid=1000, --timeout=30, --ghost" | sudo tee /etc/autofs/auto.master.d/cluster.autofs/etc/autofs/auto.sshfs
echo "node1 -fstype=fuse,port=2002,rw,allow_other :sshfs\#root@node1\:/" | sudo tee /etc/autofs/auto.sshfsTEST SSHFS
path=/tmp/node1
mkdir -p ${path}
sshfs root@node1:/ ${path}MAN
systemd-resolve [OPTIONS...] HOSTNAME|ADDRESS...
systemd-resolve [OPTIONS...] --service [[NAME] TYPE] DOMAIN
systemd-resolve [OPTIONS...] --openpgp EMAIL@DOMAIN...
systemd-resolve [OPTIONS...] --statistics
systemd-resolve [OPTIONS...] --reset-statistics
Resolve domain names, IPv4 and IPv6 addresses, DNS records, and services.
-h --help # Show this help
--version # Show package version
--no-pager # Do not pipe output into a pager
-4 # Resolve IPv4 addresses
-6 # Resolve IPv6 addresses
-i --interface=INTERFACE # Look on interface
-p --protocol=PROTO|help # Look via protocol
-t --type=TYPE|help # Query RR with DNS type
-c --class=CLASS|help # Query RR with DNS class
--service # Resolve service (SRV)
--service-address=BOOL # Resolve address for services (default: yes)
--service-txt=BOOL # Resolve TXT records for services (default: yes)
--openpgp # Query OpenPGP public key
--tlsa # Query TLS public key
--cname=BOOL # Follow CNAME redirects (default: yes)
--search=BOOL # Use search domains for single-label names (default: yes)
--raw[=payload|packet] # Dump the answer as binary data
--legend=BOOL # Print headers and additional info (default: yes)
--statistics # Show resolver statistics
--reset-statistics # Reset resolver statistics
--status # Show link and server status
--flush-caches # Flush all local DNS caches
--reset-server-features # Forget learnt DNS server feature levels
--set-dns=SERVER # Set per-interface DNS server address
--set-domain=DOMAIN # Set per-interface search domain
--set-llmnr=MODE # Set per-interface LLMNR mode
--set-mdns=MODE # Set per-interface MulticastDNS mode
--set-dnsovertls=MODE # Set per-interface DNS-over-TLS mode
--set-dnssec=MODE # Set per-interface DNSSEC mode
--set-nta=DOMAIN # Set per-interface DNSSEC NTA
--revert # Revert per-interface configurationTRICKS
LXC
bind DNS from host to containers
dynamically
# for selected interface
resolvectl --interface lxdbr0 dnssec set no
# add DNS configuration to lxd domain
resolvectl dns lxdbr0 "$(lxc network show lxdbr0 | sed -n 's|.*ipv4\.address: \(.*\)/.*|\1|p')"
resolvectl domain lxdbr0 '~lxd'
# old style
# systemd-resolve --interface lxdbr0 --set-dnssec no #~ old style
#sed -i 's|^.\?DNSSEC=.*$|DNSSEC=allow-downgrade|' /etc/systemd/resolved.conf # global / not too advisable
#systemd-resolve --interface lxdbr0 --set-domain '~lxd' --set-dns "$(lxc network show lxdbr0 | sed -n 's|.*ipv4\.address: \(.*\)/.*|\1|p')"persistently
path="/etc/systemd/resolved.conf.d/"
[ -d "${path}" ] || mkdir -p "${path}"
cidr="$(lxc network show lxdbr0 | sed -n 's|.*ipv4\.address: \(.*\)/.*|\1|p')"
echo "# Configuration file for lxdbr0
[Resolve]
DNS=${cidr}
Domains=lxd
DNSSEC=no" > "${path}/lxd.conf"start & enable service
[ "$(systemctl status systemd-resolved.service)" = "inactive" ] && systemctl start systemd-resolved.service
[ "$(systemctl is-enabled systemd-resolved.service)" ] && systemctl enable systemd-resolved.servicetest
resolvectl query sp20-www.lxd
#systemd-resolve -i lxdbr0 sp20-www.lxdUse TAB to select options & values !!
journalctl -p err|alert|crit|debug|emerg|err|info|notice|warning # print only level
-u $service # show logs for unit apache2
_PID=1 # show journal for one PID
<command> # show journal for one command (ex: /usr/sbin/apache2)OTHERS
systemd-cgls [OPTIONS...] [CGROUP...]
Recursively show control group contents
-a --all Show all groups, including empty
-u --unit Show the subtrees of specifified system units
--user-unit Show the subtrees of specifified user units
-l --full Do not ellipsize output
-k Include kernel threads in output
-M --machine= Show containersystemd-cgtop [OPTIONS...] [CGROUP]
Show top control groups by their resource usage
-p --order=path Order by path
-t --order=tasks Order by number of tasks/processes
-c --order=cpu Order by CPU load (default)
-m --order=memory Order by memory load
-i --order=io Order by IO load
-r --raw Provide raw (not human-readable) numbers
--cpu=percentage Show CPU usage as percentage (default)
--cpu=time Show CPU usage as time
-P Count userspace processes instead of tasks (excl. kernel)
-k Count all processes instead of tasks (incl. kernel)
--recursive=BOOL Sum up process count recursively
-d --delay=DELAY Delay between updates
-n --iterations=N Run for N iterations before exiting
-b --batch Run in batch mode, accepting no input
--depth=DEPTH Maximum traversal depth (default: 3)
-M --machine= Show containersystemd-analyze [OPTIONS...] {COMMAND} ...
Profile systemd, show unit dependencies, check unit files
-h --help # Show this help
--version # Show package version
--no-pager # Do not pipe output into a pager
--system # Operate on system systemd instance
--user # Operate on user systemd instance
-H --host=[USER@]HOST # Operate on remote host
-M --machine=CONTAINER # Operate on local container
--order # Show only order in the graph
--require # Show only requirement in the graph
--from-pattern=GLOB # Show only origins in the graph
--to-pattern=GLOB # Show only destinations in the graph
--fuzz=SECONDS # Also print also services which finished SECONDS earlier than the latest in the branch
--man[=BOOL] # Do [not] check for existence of man pages
--generators[=BOOL] # Do [not] run unit generators (requires privileges)
Commands:
time # Print time spent in the kernel
blame # Print list of running units ordered by time to init
critical-chain [UNIT...] # Print a tree of the time critical chain of units
plot # Output SVG graphic showing service initialization
dot [UNIT...] # Output dependency graph in man:dot(1) format
log-level [LEVEL] # Get/set logging threshold for manager
log-target [TARGET] # Get/set logging target for manager
dump # Output state serialization of service manager
syscall-filter [NAME...] # Print list of syscalls in seccomp filter
verify FILE... # Check unit files for correctness
calendar SPEC... # Validate repetitive calendar time events
service-watchdogs [BOOL] # Get/set service watchdog statepath
// get path for a specific value
paths as $path | select(getpath($path) == "10.0.0.159") | $path
// get paths in string format
[paths|map(if type=="number" then "[]" else tostring end)|join(".")|split(".[]")|join("[]")]|unique|map("."+.)|.[]insert data
data='{"ipv4":"192.168.0.1"}
{"ipv4":"192.168.0.100"}
{"ipv4":"192.168.0.102"}'
echo "$data" | jq -r 'select(.ipv4 == "192.168.0.1") |= . + {"hostname":"toto"}'LXC
pretty print
# pretty print
lxc list --format=json $ctname$ | jq -Csearch
# search in keys recursively & get values for key
lxc list --format json|jq -r '..|.hwaddr?|select(.!=null and .!="")'
# search in keys recursively & get flatten path
lxc list --format json | jq -c 'paths | select(.[-1] == "hwaddr")'
# search by type
jq 'path(recurse(if type|. == "array" or . =="object" then .[] else empty end))'
# search image by alias
lxc image list --format=json | jq -r '.[].aliases[] | select(.name | test("'-1635.*$'")).name'name
# print name
lxc list --format=json | jq -r '.[].name'
# print selected name for exact name alpine
lxc list --format=json | jq -r '.[] | select(.name == "alpine311").name'
# print selected name for alpine.* in regexp format
lxc list --format=json | jq -r '.[] | select(.name | test("alpine.*")).name'
# display names of running containers
lxc list --format=json | jq -r '.[] | select(.status == "Running").name'
# display names of running containers with a selected name
lxc list --format=json | jq -r '.[] | select(.status == "Running") | select(.name == "alpine314").name'
# display name of containers which have attached profile $profile
lxc list --format=json | jq -r '.[] | select(.profiles | any(contains("'$profile'"))).name'IP
Display first IP address for specified: interface
# Display IP address of the first network interface of containers which have an interface named 'eth0'
lxc list --format=json | jq -r '.[].state.network.eth0.addresses[0].address'
# Display IP mac address & IP address for containers which have eth0 named interface
lxc list --format json|jq '.[].state.network.eth0 | {(.hwaddr): .addresses[0].address}'Display IP address for specified: name, scope, family
Display IP address for container named 'alpine311$' with network interface='eth0', with scope='global' & family='inet'
lxc list --format=json alpine311$ | jq -r '.[].state.network.eth0?.addresses[]
| select(.scope == "global" and .family == "inet")
| .address'Display pairs 'name + Ip address' for specified: interface, family
Display 'name + address' for containers with network, interface='eth0', scope='global' & family='inet'
lxc list --format=json | jq -r '.[] |
select (.state.network != null) |
(.name + " " + (
.state.network.eth0.addresses[] |
select(.family == "inet") |
.address
)lxc profile list -f json|jq -r '.[] | (.name, .used_by)'
)'lxc profile list -f json|jq -r '.[] | (.name, .used_by)'Display profile names and users in json format
lxc profile list -f json|jq -r '.[] | (.name, .used_by)'Display name, ipv4, hwaddr for running containers with network in json format
lxc list --format=json | jq -r '.[] |
select (.state.network != null) |
{
"name": .name,
"ip": (
.state.network.eth0.addresses[] |
select(.family == "inet") |
.address
),
"hwaddr": .state.network.eth0.hwaddr
}'EXAMPLES
CONTAINER
BACKUP
# backup server
CMD = /usr/local/bs/backup-server
OPTS = --vz --vz-dump --vz-cleanlog
LOG_FILE = /var/log/server/cron-backup-server
DATE = date +%Y%m%d-%T
# every week, the monday at 2h00
#*/1 * * * * root echo "$($DATE) /usr/local/bs/backup-server --vz --vz-dump" >> $LOG_FILE
0 2 * * 1 root echo "$($DATE) /usr/local/bs/backup-server --vz --vz-dump --vz-cleanlog" >> $LOG_FILE
# every week, the monday at 02h01
1 2 * * 1 root test -x $CMD && $CMD $OPTS >> $LOG_FILE
55 2 * * 1 root echo "$($DATE) /usr/sbin/vzctl stop 105" >> $LOG_FILE
56 2 * * 1 root /usr/sbin/vzctl stop 105 >> $LOG_FILE
# every hour
#0 */1 * * * root test -x $CMD && $CMD $OPTMARIADB
# cron to dump mariadb databases
CMD = /usr/local/bs/mysql-dump-slave
OPTS = "db_pwd=txccR_OH2Goal9 path2=/var/share/mariadb/save"
LOG_FILE = /var/log/server/cron-mariadb
DATE = date +%Y%m%d-%T
0 1 * * * root echo "$($DATE) /usr/local/bs/mysql-dump-slave db_pwd= path2=/var/share/mariadb/save" >> $LOG_FILE # every day at 1h00
1 1 * * * root test -x $CMD && $CMD $OPTS >> $LOG_FILE # every day at 01h01SERVER
BACKUP
# cron to sync server backup from HOST to local
HOST = ns388803
DATE = date +%Y%m%d-%T
LOG_FILE = /var/log/server/cron-ns388803-backup
# every day at 3h00
0 3 * * * root echo "$($DATE) rsync -e 'ssh -p2002' -av root@${HOST}:/save/backup/ /save/${HOST}/backup/" >> $LOG_FILE
# every day at 3h01
1 3 * * * root rsync -e 'ssh -p2002' -av root@${HOST}:/save/backup/ /save/${HOST}/backup/ >> $LOG_FILEMARIADB
# cron to sync mariadb dump from HOST to local
HOST = ns388803
DATE = date +%Y%m%d-%T
LOG_FILE = /var/log/server/cron-ns388803-mariadb
# every day at 3h30
30 3 * * * root echo "$($DATE) rsync -e 'ssh -p2002' -av root@${HOST}:/save/mariadb/ /save/${HOST}/mariadb/" >> $LOG_FILE
# every day at 3h31
31 3 * * * root rsync -e 'ssh -p2002' -av root@${HOST}:/save/mariadb/ /save/${HOST}/mariadb/ >> $LOG_FILE# cron to sync mail from HOST to local
HOST = ns388803
DATE = date +%Y%m%d-%T
LOG_FILE = /var/log/server/cron-ns388803-mail
# every day at 3h50
50 3 * * * root echo "$($DATE) rsync -e 'ssh -p2002' -av root@${HOST}:/vm/share/mail/ /save/${HOST}/mail/" >> $LOG_FILE
# every day at 3h51
51 3 * * * root rsync -e 'ssh -p2002' -av root@${HOST}:/vm/share/mail/ /save/${HOST}/mail/ >> $LOG_FILEINSTALLATION
JAVA
For eclipse compatibility of sourcing and content assisting, install the openjdk-src && openjdk-doc
manjaro
sudo pacman -Sy openjdk-src openjdk-docJAVA CONFIGURATION
openjdk
After that go to preferences / Java / Installed JREs, edit the JRE and defines paths for :
- jre: /usr/lib/jvm/java-15-openjdk/
- Source path: give the path of src.zip: /usr/lib/jvm/java-15-openjdk/lib/src.zip
- javadoc location: give the path of api documentation: file:/usr/share/doc/java-openjdk/api
jdk
After that go to preferences / Java / Installed JREs, edit the JRE and defines paths for :
- jre: /usr/lib/jvm/java-16-jdk/
- Source path: give the path of src.zip: /usr/lib/jvm/java-16-jdk/lib/src.zip
- javadoc location: give the path of api documentation: file:/usr/share/doc/java-jdk/api
CONFIGURATION
opt=java
release=2021-03
path_opt="/opt/eclipse_${opt}_${release}"
user_path="/home/nikita/.eclipse_${opt}"
workspace_path="/home/nikita/dev/eclipse-workspaces-${opt}/${opt}"
file="${path_opt}/eclipse.ini"
# install
tar xzf /ext/shared/Soft/multi/eclipse-java-${release}-R-linux-gtk-x86_64.tar.gz -C /opt/
mv /opt/eclipse ${path_opt}
# configuration
cp -a ${file} ${file}-keep$(date +%s)
sed -i "/^-vmargs/ a-Duser.home=${user_path}" $file
sed -i "/^-Dosgi.instance.area.default/ s|=.*|=${workspace_path}|" $fileDOT
add lines in eclipse.ini
echo "-Dosgi.framework.extensions=org.eclipse.fx.osgi
-Defxclipse.java-modules.dir=/usr/lib/jvm/javafx-sdk-15/lib" >> "$file"JAVAFX
https://openjfx.io/openjfx-docs/
https://openjfx.io/openjfx-docs/#IDE-Eclipse
sudo pacman -S java-openjfx
path="/usr/lib/jvm/java-*-openjdk"
pathfx="/usr/lib/jvm/java-*-openjdk/lib/javafx"
[ -d $pathfx ] || mkdir $pathfx
for jar in javafx.base.jar javafx.controls.jar javafx.fxml.jar javafx.graphics.jar javafx.media.jar javafx.swing.jar javafx-swt.jar javafx.web.jar; do [ -f $path/$jar ] && mv $path/$jar $pathfx/$jar; done
file=/etc/server/env.conf
! grep -q PATH_TO_FX $file && echo -e "\n######## JAVA\nexport JAVA_HOME=$path\nexport PATH_TO_FX=$pathfx" >> $fileBASH EDITOR
Manjaro
xfce4-terminal -x bash --login -c '${BE_CMD_CALL}'Ubuntu
gnome-terminal -- bash --login -c '${BE_CMD_CALL}'SOFTWARE SITES
Teams
Tuleap Mylyn http://eclipse.tuleap.net/mylyn.tasks/update/
CodeTogether https://www.codetogether.com/updates/ci/
Yatta Profiles & Launcher https://marketplace.yatta.de/update/profiles/clienttools
ColorTheme http://eclipse-color-theme.github.com/update
DevStyle http://www.genuitec.com/updates/devstyle/ci
DevUtils http://kangtae49.github.io/dev-utils-plugin/update
QuickRex http://netceteragroup.github.io/quickrex/updatesite
softs
DBeaver https://dbeaver.io/update/latest/
Papyrus 2020-06 https://download.eclipse.org/modeling/mdt/papyrus/updates/releases/2020-06
Papyrus Designer http://download.eclipse.org/modeling/mdt/papyrus/components/designer/
Papyrus Marte http://download.eclipse.org/modeling/mdt/papyrus/components/marte/
Papyrus Moka http://download.eclipse.org/modeling/mdt/papyrus/components/moka/
Papyrus Nightly https://download.eclipse.org/modeling/mdt/papyrus/updates/nightly/master
sysml16 releases https://download.eclipse.org/modeling/mdt/papyrus/components/sysml16/2019-06/
EMF 2.14 Release http://marketplace.yatta.de/eclipse-mirror/modeling/emf/emf/builds/release/2.14languages
BashEditor https://dl.bintray.com/de-jcup/basheditor
CDT http://download.eclipse.org/tools/cdt/releases/10.0
PyDev http://pydev.org/updatesCLEAN PLUGINS
** Clean history before !!
** one
eclipse_path="/opt/eclipse_java_2021-03"
eclipse_profile=`sed -n '/^eclipse.p2.profile=.*/ s|.*=||p' "${eclipse_path}/configuration/config.ini"`
${eclipse_path}/eclipse -application org.eclipse.equinox.p2.garbagecollector.application -profile "${eclipse_profile}"** all
for eclipse_path in `ls /opt/eclipse*/ -d`; do
eclipse_path="${eclipse_path%/}"
eclipse_profile=`sed -n '/^eclipse.p2.profile=.*/ s|.*=||p' "${eclipse_path}/configuration/config.ini"`
${eclipse_path}/eclipse -application org.eclipse.equinox.p2.garbagecollector.application -profile "${eclipse_profile}"
done