sevagas / Swap_digger
Licence: gpl-3.0
swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.
Stars: β 354
Programming Languages
shell
77523 projects
Projects that are alternatives of or similar to Swap digger
Pentesting toolkit
π΄ββ οΈ Tools for pentesting, CTFs & wargames. π΄ββ οΈ
Stars: β 1,268 (+258.19%)
Mutual labels: hacking, forensics, post-exploitation
PSTrace
Trace ScriptBlock execution for powershell v2
Stars: β 38 (-89.27%)
Mutual labels: forensics, dfir
DFIR-O365RC
PowerShell module for Office 365 and Azure log collection
Stars: β 158 (-55.37%)
Mutual labels: forensics, dfir
smram parse
System Management RAM analysis tool
Stars: β 50 (-85.88%)
Mutual labels: forensics, dfir
iTunes Backup Reader
Python 3 Script to parse out iTunes backups
Stars: β 108 (-69.49%)
Mutual labels: forensics, dfir
WELA
WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! γηΎ
οΌγ¦γ§γ©οΌ
Stars: β 442 (+24.86%)
Mutual labels: forensics, dfir
MindMaps
#ThreatHunting #DFIR #Malware #Detection Mind Maps
Stars: β 224 (-36.72%)
Mutual labels: forensics, dfir
Free Security Ebooks
Free Security and Hacking eBooks
Stars: β 3,132 (+784.75%)
Mutual labels: hacking, forensics
uac
UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
Stars: β 260 (-26.55%)
Mutual labels: forensics, dfir
ad-privileged-audit
Provides various Windows Server Active Directory (AD) security-focused reports.
Stars: β 42 (-88.14%)
Mutual labels: forensics, dfir
CDIR
CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library
Stars: β 122 (-65.54%)
Mutual labels: forensics, dfir
EventTranscriptParser
Python based tool to extract forensic info from EventTranscript.db (Windows Diagnostic Data)
Stars: β 22 (-93.79%)
Mutual labels: forensics, dfir
Windows Post Exploitation
Windows post-exploitation tools, resources, techniques and commands to use during post-exploitation phase of penetration test. Contributions are appreciated. Enjoy!
Stars: β 296 (-16.38%)
Mutual labels: hacking, post-exploitation
INDXRipper
Carve file metadata from NTFS index ($I30) attributes
Stars: β 32 (-90.96%)
Mutual labels: forensics, dfir
LevelDBDumper
Dumps all of the Key/Value pairs from a LevelDB database
Stars: β 23 (-93.5%)
Mutual labels: forensics, dfir
swap_digger
swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
Download and run the tool
On your machine
Use the following commands to download and run the script on your machine:
git clone https://github.com/sevagas/swap_digger.git
cd swap_digger
chmod +x swap_digger.sh
sudo ./swap_digger.sh -vx
On a mounted hard drive
To use swap_digger on a mounted hard drive, do the following:
First, download the script using the following commands:
git clone https://github.com/sevagas/swap_digger.git
cd swap_digger
chmod +x swap_digger.sh
Then, find the target swap file/partition with:
sudo ./swap_digger.sh -S
Finally, analyze the target by running:
sudo ./swap_digger.sh -vx -r path/to/mounted/target/root/fs -s path/to/target/swap/device
On a third party machine
Use the following commands to download and run the script on a third party machine (useful for pentests and CTFs):
wget https://raw.githubusercontent.com/sevagas/swap_digger/master/swap_digger.sh
chmod +x swap_digger.sh
sudo ./swap_digger.sh -vx -c
Note: Use the -c option to automatically remove the directory created by swap_digger (/tmp/swap_dig).
Simple run
If you only need to recover clear text Linux user passwords, simply run:
sudo ./swap_digger.sh
Available options
All options:
./swap_digger.sh [ OPTIONS ]
Options :
-x, --extended Run Extended tests on the target swap to retrieve other interesting data
(web passwords, emails, wifi creds, most accessed urls, etc)
-g, --guessing Try to guess potential passwords based on observations and stats
Warning: This option is not reliable, it may dig more passwords as well as hundreds false positives.
-h, --help Display this help.
-v, --verbose Verbose mode.
-l, --log Log all outputs in a log file (protected inside the generated working directory).
-c, --clean Automatically erase the generated working directory at end of script (will also remove log file)
-r PATH, --root-path=PATH Location of the target file-system root (default value is /)
Change this value for forensic analysis when target is a mounted file system.
This option has to be used along the -s option to indicate path to swap device.
-s PATH, --swap-path=PATH Location of swap device or swap dump to analyse
Use this option for forensic/remote analysis of a swap dump or a mounted external swap partition.
This option should be used with the -r option where at least /<root-path>/etc/shadow exists.
-S, --swap-search Search for all available swap devices (use for forensics).
Relevant resources
Blog posts about swap digging:
Contact
Feel free to message me on my Twitter account @EmericNasi
License and credits
The GNU General Public License version 3
Copyright 2017-2021 Emeric βSioβ Nasi (blog)
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].