This is about … .
Prerequisites
- Install Windows as a VM guest (use VBox, Vmware, Parallels or any other tool)
- Disable all sharing options except for 1 folder that will act as a buffer for files between the guest and the host
-
Set-ExecutionPolicy Bypass - Install choco
Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')). It’s a packet manager for Windows (like apt for Linux or brew for macOS), and it will help your life easier. - You will need to install .NET framework as well (you will be prompted when running some of the tools)
Network Forensics
dshell
git clone https://github.com/USArmyResearchLab/Dshell
python3 -m pip install Dshell/
pip install geoip2
Download geo databases from here or use the links from GitHub. Move the files to the site-packages folder on your OS. I have pyenv installed (for different python versions). For me (macOS + pyenv the path was: /Users/username/.pyenv/versions/3.9.11/lib/python3.9/site-packages/dshell/data/GeoIP.
❗️ Don’t use
pyenvwith it since you won’t be able to dosudo dshellwhich is required for some functionality.
⛔️ I don’t remember the error message accurately, but something about not being able to find Geo libraries. ✍🏻 Download geo databases from here or use the links from GitHub. Move the files to the
site-packagesfolder on your OS. I have pyenv installed (for different python versions). For me (macOS +pyenvthe path was:/Users/username/.pyenv/versions/3.9.11/lib/python3.9/site-packages/dshell/data/GeoIP. Pay attention, not the folder that you have downloaded, but the folder that was created AFTER the dshell was installed withpython3 -m pip install Dshell/.⛔️
Couldn't load netifaces, some utils won't work✍🏻pip install netifaces
Windows
Eric Zimmerman’s Tools
The easiest way to install is via a PS1 script - https://f001.backblazeb2.com/file/EricZimmermanTools/Get-ZimmermanTools.zip from https://ericzimmerman.github.io/#!index.md. One of the requirements - .NET installed (https://f001.backblazeb2.com/file/EricZimmermanTools/net6/All_6.zip).
macOS
Password Cracking
Install John the Ripper on macOS - https://www.google.co.uk/search?source=hp&ei=xOZoXtfNJIu53AOriq2ICg&q=john+the+ripper+install+macos&btnK=Google+Search&oq=fridump.py++dow&gs_l=psy-ab.3.0.33i160.3716.6053..7545...0.0..0.83.326.5......0....2j1..gws-wiz.EKLnxRYpE78#fpstate=ive&vld=cid:6d5ad76b,vid:4CnjjpWYK90.
brew install john
cd /opt/homebrew/Cellar # not sure about the path
ln -s /opt/homebrew/Cellar/john/1.9.0_1/libexec john
sudo port install p5.30-compress-raw-lzma
# download all the scripts
git clone https://github.com/openwall/john.git
# copy all from https://github.com/openwall/john/tree/bleeding-jumbo/run to /opt/homebrew/Cellar/john/1.9.0_1/share/john
cp john/run/* /opt/homebrew/Cellar/john/1.9.0_1/share/john
# install hashcat
brew install hashcat
Download the 7z2john.pl script from https://github.com/openwall/john/blob/bleeding-jumbo/run/7z2john.pl. Other scripts - https://github.com/openwall/john.
7z2john.pl script (John the Ripper tool) that can extract the hash of the password from the zip file.
7z2john.pl /path/to/zip.7z > zip.hash
sudo hashcat -h | grep 7-zip
hashcat -m 11600 /path/to/hash /path/to/wordlist
⛔️ I installed perl with homebrew, but I kept getting
Can't locate Compress/Raw/Lzma.pm in @INC (you may need to install the Compress::Raw::Lzma module) (@INC contains: /opt/homebrew/opt/perl/lib/perl5/site_perl/5.36/darwin-thread-multi-2level /opt/homebrew/opt/perl/lib/perl5/site_perl/5.36 /opt/homebrew/opt/perl/lib/perl5/5.36/darwin-thread-multi-2level /opt/homebrew/opt/perl/lib/perl5/5.36 /opt/homebrew/lib/perl5/site_perl/5.36/darwin-thread-multi-2level /opt/homebrew/lib/perl5/site_perl/5.36) at ./7z2john.pl line 6. BEGIN failed--compilation aborted at ./7z2john.pl line 6.✍🏻 So, I have spent several hours on that thing that involved a lot of googling. I needed to install the library that Perl complained to be missing. But that didn’t work. I tried rufind . -name “*Lzma.pm” | grep -i lzmanning
sudo cpan Compress::Raw::Lzma,cpan Compress::Raw::Lzma,sudo port install lzma,sudo port install p5.30-compress-raw-lzma,brew install xz- same issue. As if the script doesn’t see the files I keep installing.From the https://github.com/theos/theos/issues/273 issue of another program I figured out that sha-bang line
#!/usr/bin/env perlat the beginning of the script points to the perl version defined in environment variables. However, there was nothing inenvabout perl. Still, I have decided to change it to#!/usr/bin/perlto point to the system perl explicitly. The error changed a little. That means that the script will use system perl executable and not the one installed byhomebrew.
Can't locate Compress/Raw/Lzma.pm in @INC (you may need to install the Compress::Raw::Lzma module) (@INC contains: /Library/Perl/5.30/darwin-thread-multi-2level /Library/Perl/5.30 /Network/Library/Perl/5.30/darwin-thread-multi-2level /Network/Library/Perl/5.30 /Library/Perl/Updates/5.30.3/darwin-thread-multi-2level /Library/Perl/Updates/5.30.3 /System/Library/Perl/5.30/darwin-thread-multi-2level /System/Library/Perl/5.30 /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level /System/Library/Perl/Extras/5.30) at ./7z2john.pl line 6. BEGIN failed--compilation aborted at ./7z2john.pl line 6.Ok, now it looks at the system perl folder, but it still can’t find it.
Unfortunately, no single solution on the Internet was helpful. I have used this issue from another program https://github.com/theos/theos/issues/273, https://perlmaven.com/how-to-change-inc-to-find-perl-modules-in-non-standard-locations, as well as some other resources that are hard to remember.
Then,I noticed that in the error message, there are several paths mentioned and some mysterious
@INC. It seemed like this@INCwas something similar to the environment variable. So, I googled it, and that was the case. It looked like perl was trying to find the missing module at several paths listed in the error message and could not. This@INCvariable was reading from thePERL5LIBenvironment variable and would search whatever directory is mentioned there. But I didn’t havePERL5LIBvariable defined. And what value do I assign to it? What’s the path of this stupidLzma.pmmodule anyway?From the error message, it was clear that perl was looking for
Lzma.pmfile. So, I ranfind . -name "*Lzma.pm" | grep -i lzmato see where those files are stored. I have got several different locations (because there is system Perl and also the one installed withbrewearlier). I have tried them all, and the following one worked:export PERL5LIB=/opt/local/lib/perl5/vendor_perl/5.30/darwin-thread-multi-2level. ❗️Make sure you do not include theCompress/Raw/part of the path.Now, it works. 🥳
Trying to load this script with the default sha-bang and the system path export var results in
Lzma.c: loadable library and perl binaries are mismatched (got first handshake key 0xc700080, needed 0xfc00080)error.Also, when I tried uninstalling
p5.30-compress-raw-lzma, I gotCan't locate Compress/Raw/Lzma.pm in @INC (you may need to install the Compress::Raw::Lzma module) (@INC contains: /opt/local/lib/perl5/vendor_perl/5.30/darwin-thread-multi-2level /Library/Perl/5.30/darwin-thread-multi-2level /Library/Perl/5.30 /Network/Library/Perl/5.30/darwin-thread-multi-2level /Network/Library/Perl/5.30 /Library/Perl/Updates/5.30.3/darwin-thread-multi-2level /Library/Perl/Updates/5.30.3 /System/Library/Perl/5.30/darwin-thread-multi-2level /System/Library/Perl/5.30 /System/Library/Perl/Extras/5.30/darwin-thread-multi-2level /System/Library/Perl/Extras/5.30) at ./7z2john.pl line 6.again. So,sudo port install p5.30-compress-raw-lzmawas crucial as well. And these operations could be done safely -sudo port uninstall lzma,brew remove perl.To make this setting persistent, run
echo "export PERL5LIB=/opt/local/lib/perl5/vendor_perl/5.30/darwin-thread-multi-2leveln" >> ~/.zshrc.I hope that helps someone 🙂