jbrown dfir-scripts

## comparehash.ps1
# find and hash one or more files
# Change include and path values as needed
gci -r -path C:\Windows\ -include explorer.exe, notepad.exe -erroraction silentlycontinue|Get-FileHash  -algorithm md5|sort-object |ft hash, path -AutoSize

## reverse Endian
#reverse Endian

echo $1|grep -o .. |tac| tr -d '\n'

# example: echo  "01d622d7c5a55c70|grep -o .. |tac| tr -d '\n'

## grabip.py
#! /usr/bin/python3
import
re
sys
ipaddress
f = open(sys.argv[1],'r')
string = f.read()
ip_list = []
ip_private = []
regex = re.findall(r'\b25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\.25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?\b',string)

## vtdomainscan.py
import requests
import csv

API_KEY = ''  # Replace with your VirusTotal API key

def get_domain_report(domain):
    url = f'https://www.virustotal.com/vtapi/v2/domain/report'
    params = {'apikey': API_KEY, 'domain': domain}
    response = requests.get(url, params=params)
    return response.json()

## create-NTLM-Hash.py
#!/usr/bin/python
import hashlib
import binascii

try:
    print("Enter Password")
    password = input()
    hash = hashlib.new('md4', password.encode('utf-16le')).digest()
    print(binascii.hexlify(hash).decode("utf-8"))
except:

## BOM2Unix
vi -c ":set nobomb" -c ":%s/\r//g" -c ":wq" input_file.txt

## appids2json.py
import json

def convert_to_dict(lines):
    """
    Convert lines of text into a dictionary.

    Args:
        lines (list): A list of strings, each containing a key-value pair separated by "|".

    Returns:

## setup-zimmerman-tools.sh
#! /bin/bash
[ $(whoami) != "root" ] && echo "Requires sudo!" && exit

# Install powershell and dotnet 9
which pwsh || snap install powershell --classic
which dotnet && dotnet --list-runtimes|grep 9\\.0 || \
add-apt-repository ppa:dotnet/backports -y  && \
apt-get update
apt-get install -y dotnet-sdk-9.0 -y  || exit

## nthasher.py
#!/usr/bin/env python3
"""
Simple NT Hash Generator
Uses impacket to generate NT hash from password input
"""

from impacket.ntlm import compute_nthash

def main():
    print("NT Hash Generator")
	# find and hash one or more files
	# Change include and path values as needed
	gci -r -path C:\Windows\ -include explorer.exe, notepad.exe -erroraction silentlycontinue\|Get-FileHash -algorithm md5\|sort-object \|ft hash, path -AutoSize
	#reverse Endian

	echo $1\|grep -o .. \|tac\| tr -d '\n'

	# example: echo "01d622d7c5a55c70\|grep -o .. \|tac\| tr -d '\n'
	#! /usr/bin/python3
	import
	re
	sys
	ipaddress
	f = open(sys.argv[1],'r')
	string = f.read()
	ip_list = []
	ip_private = []
	regex = re.findall(r'\b25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?\.25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?\.25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?\.25[0-5]\|2[0-4][0-9]\|[01]?[0-9][0-9]?\b',string)
	import requests
	import csv

	API_KEY = '' # Replace with your VirusTotal API key

	def get_domain_report(domain):
	url = f'https://www.virustotal.com/vtapi/v2/domain/report'
	params = {'apikey': API_KEY, 'domain': domain}
	response = requests.get(url, params=params)
	return response.json()
	#!/usr/bin/python
	import hashlib
	import binascii

	try:
	print("Enter Password")
	password = input()
	hash = hashlib.new('md4', password.encode('utf-16le')).digest()
	print(binascii.hexlify(hash).decode("utf-8"))
	except:
	import json

	def convert_to_dict(lines):
	"""
	Convert lines of text into a dictionary.

	Args:
	lines (list): A list of strings, each containing a key-value pair separated by "\|".

	Returns:
	#! /bin/bash
	[ $(whoami) != "root" ] && echo "Requires sudo!" && exit

	# Install powershell and dotnet 9
	which pwsh \|\| snap install powershell --classic
	which dotnet && dotnet --list-runtimes\|grep 9\\.0 \|\| \
	add-apt-repository ppa:dotnet/backports -y && \
	apt-get update
	apt-get install -y dotnet-sdk-9.0 -y \|\| exit
	#!/usr/bin/env python3
	"""
	Simple NT Hash Generator
	Uses impacket to generate NT hash from password input
	"""

	from impacket.ntlm import compute_nthash

	def main():
	print("NT Hash Generator")