- FFUF =
{
'enabled' => true,
'location' => {
'base' => '$XDG_CONFIG_HOME/ffuf', # ~/.config/ffuf
'history' => {
'path' => '<base>/history',
'description' => "Folder containing the history of command options used.\n" \
'Those files contain target URL but may also contains secrets in headers.'
}
}
}.freeze- JOHN =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.john', # ~/.john
#
#
'logs' => {
'path' => '<base>/john.log',
'description' => "File containing the logs of the commands launched.\n" \
'Does not contain hashes or passwords but usernames and whole command lines.'
},
'potfile' => {
'path' => '<base>/john.pot',
'description' => "File containing all cracked hashes.\n" \
'Passwords may include enterprize related content or may be easily recognizable.'
}
}
}.freeze- AMASS =
{
'enabled' => true,
'location' => {
'base' => '$XDG_CONFIG_HOME/amass', # ~/.config/amass
'logs' => {
'path' => '<base>/amass.log',
'description' => 'Log file containing the searched domain.'
},
'database' => {
'path' => '<base>/amass.sqlite',
'description' => "Database file.\nContains search results."
}
}
}.freeze- MOBSF =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.MobSF', # ~/.MobSF
'logs' => {
'path' => '<base>/debug.log',
'description' => 'Logs file containing at least APK name.'
},
'downloads' => {
'path' => '<base>/downloads',
'description' => 'Directory where are stored files extracted from APK or screenshots of the app running.'
},
'uploads' => {
'path' => '<base>/uploads',
'description' => 'Directory containing decompressed APKs.'
},
'database' => {
'path' => '<base>/db.sqlite3',
'description' => 'Database file containing at least APK name.'
}
}
}.freeze- RECAF =
{
'enabled' => true,
'location' => {
'base' => '$XDG_CONFIG_HOME/Recaf', # ~/.config/Recaf
'classpath' => {
'path' => '<base>/classpath',
'description' => "Folder containing JARs.\n" \
'Those JARs contain the classpath of previously openned JARs.'
},
'logs' => {
'path' => '<base>/rclog.txt',
'description' => "Log file of the last session.\n" \
'Contains class names, file names or commands if openned in CLI mode.'
}
}
}.freeze- DBGATE =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.dbgate', # ~/.dbgate
'connections' => {
'enabled' => false,
'path' => '<base>/connections.jsonl',
'description' => "File containing connection shortchuts.\n" \
'Connection objects contain target domain or IP address.'
},
'logs' => {
'path' => '<base>/logs',
'description' => "Logs folder.\n" \
"Those log events shouldn't contain customer information but who knows."
}
}
}.freeze- LSASSY =
{
'enabled' => true,
'location' => {
'base' => '$XDG_CONFIG_HOME/lsassy', # ~/.config/lsassy
'masterkeys' => {
'path' => '<base>/masterkeys.txt',
'description' => 'File containing master keys retreived from targets.'
},
'tickets' => {
'path' => '<base>/tickets',
'description' => 'Folder containing dumped tickets (TGT, TGS) from targets.'
}
}
}.freeze- NCRACK =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.ncrack', # ~/.ncrack
'restore' => {
'path' => '<base>',
'description' => "Directory containing retore files to resume a cracking session.\n" \
'Restore files contain the command launch including the username or wordlist used.'
}
}
}.freeze- SQLMAP =
{
'enabled' => true,
'location' => {
'base' => '$XDG_DATA_HOME/sqlmap', # ~/.local/share/sqlmap
'history' => {
'path' => '<base>/history',
'description' => "Directory containing history files.\n" \
"os.hst stores system commands entered when using --os-pwn option.\n" \
'sql.hst stores SQL quries entered when using --os-shell option.'
},
'logs' => {
'path' => '<base>/output',
'description' => "Directory containing a folder per target.\n" \
"<target>/log contains all successful injection vectors.\n" \
"<target>/session.sqlite contains retrieved data.\n" \
'<target>/target.txt contains target URL + command used.'
}
}
}.freeze- HASHCAT =
{
'enabled' => true,
'location' => {
'base' => '$XDG_DATA_HOME/hashcat', # ~/.local/share/hashcat
'sessions' => {
'path' => '<base>/sessions',
'enaled' => false,
'description' => "Directory containing session related data.\n" \
'hashcat.log should not contain any sensible data unless the file name ' \
"of a target file is sensible.\n" \
'show.log should not contain any sensible data unless the folder name is sensible.'
},
'potfile' => {
'path' => '<base>/hashcat.potfile',
'description' => "File containing all cracked hashes.\n" \
'Passwords may include enterprize related content or may be easily recognizable.'
},
'dict_cache' => {
'path' => '<base>/hashcat.dictstat2',
'enabled' => false,
'description' => "File is a cache for dictionaries.\n" \
'It should not be sensible unless dict. contain confidential data.'
}
}
}.freeze- NETEXEC =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.nxc', # ~/.nxc
'logs' => {
'path' => '<base>/logs',
'description' => 'Directory containing log files, secrets, hashes, cleartext password etc.'
},
'screenshots' => {
'path' => '<base>/screenshots',
'description' => 'Directory where are stored all screenshots taken with the --screenshot option.'
},
'workspaces' => {
'path' => '<base>/workspaces',
'description' => "Directory containing workspaces.\n" \
'Workspaces contain SQLite databases including users (domain, usernames, password), ' \
'shares, hosts, dpapi secrets, etc.'
}
}
}.freeze- REMMINA =
{
'enabled' => true,
'location' => {
'base' => '$XDG_DATA_HOME/remmina', # ~/.local/share/remmina/
'configs' => {
'enabled' => false,
'path' => '<base>/*.remmina',
'description' => "Configuration files for saved targets.\n" \
'It could contain usernames, passwords, IP addresses, target name.'
}
}
}.freeze- SEMGREP =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.semgrep', # ~/.semgrep
'logs1' => {
'path' => '<base>/last.log',
'description' => 'Logs files containing project path.'
},
'logs2' => {
'path' => '<base>/semgrep.log',
'description' => 'Logs files containing project path.'
}
}
}.freeze- WEEVELY =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.weevely', # ~/.weevely
'history' => {
'path' => '<base>/history',
'description' => 'File containing the history of the commands typed on webshells.'
},
'sessions' => {
'path' => '<base>/sessions',
'description' => "Directory containing session files.\n" \
'Session files contain URL to webshell, webshell password, extension results, etc.'
},
'logs' => {
'path' => '<base>/weevely.log*',
'description' => "Files containing the logs.\n" \
"A log file contains the response to commands executed on the remote machine.\n" \
'As there is a rotation, mutiple log files may exist. The last will be weevely.log ' \
'then the older ones will follow the pattern weevely.log.<number> e.g. weevely.log.1 ' \
'etc.'
}
}
}.freeze- WHATWAF =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.whatwaf', # ~/.whatwaf
'database' => {
'path' => '<base>/whatwaf.sqlite',
'description' => 'File (database) containing cached payloads and URLs.'
}
}
}.freeze- JWT_TOOL =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.jwt_tool', # ~/.jwt_tool
'logs' => {
'path' => '<base>/logs.txt',
'description' => "File containing the logs of the commands launched.\n" \
'Contains the JWT for all injections and tamper attemps.'
}
}
}.freeze- MANSPIDER =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.manspider', # ~/.manspider
'logs' => {
'path' => '<base>/logs',
'description' => "Directory containing log files.\n" \
'Log files contains commands with the password not redacted and the path of all ' \
'extracted files.'
},
'loot' => {
'path' => '<base>/loot',
'description' => "Directory containing looted files.\n" \
'Those are retrieved clients files.'
}
}
}.freeze- BLOODHOUND =
{
'enabled' => false,
'location' => {
'base' => '/var/lib/neo4j',
'database' => {
'path' => '<base>/data/databases/neo4j',
'description' => "Folder containing the database data.\n" \
"Data contains all dumped AD objects.\n" \
"Bloodhound use default neo4j database.\n" \
'⚠ Requires neo4j or root permissions to remove.'
},
'transactions' => {
'path' => '<base>/data/transactions/neo4j',
'description' => "Folder containing database transactions.\n" \
"Bloodhound use default neo4j database.\n" \
'⚠ Requires neo4j or root permissions to remove.'
}
}
}.freeze- METASPLOIT =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.msf4', # ~/.msf4
#
#
'history' => {
'path' => '<base>/history',
'description' => "File containing the history of commands used in msf shell.\n" \
'It certainly contains username, passwords, hostnames, etc.'
},
'logs' => {
'path' => '<base>/logs',
'description' => "Directory containing log files.\n" \
"framework.log may contain stacktraces that contain payloads.\n" \
"production.log and sessions/ ? (I don't know, empty for me)"
},
'loot' => {
'path' => '<base>/loot',
'description' => "Directory containing looted files.\n" \
'Those are retrieved clients files.'
},
'meterpreter' => {
'path' => '<base>/meterpreter_history',
'description' => "File containing the history of commands used in meterpreter sessions.\n" \
"Less sensible than msf shell history but could still contains some file paths, \n" \
'for example.'
}
}
}.freeze{
'enabled' => true,
'location' => {
'base' => '$HOME/.spiderfoot', # ~/.spiderfoot
'database' => {
'path' => '<base>/spiderfoot.db',
'description' => "Database file.\n" \
'It contains target domains in logs and results.'
},
'logs' => {
'path' => '<base>/logs',
'description' => "Directory containing debug and errors logs.\n" \
'Logs contain IP addresses of targets.'
}
}
}.freeze- CRACKMAPEXEC =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.cme', # ~/.cme
'logs' => {
'path' => '<base>/logs',
'description' => 'Directory containing log files, secrets, hashes, cleartext passwords etc.'
},
'screenshots' => {
'path' => '<base>/screenshots',
'description' => 'Directory where are stored all screenshots taken with the --screenshot option.'
},
'workspaces' => {
'path' => '<base>/workspaces',
'description' => "Directory containing workspaces.\n" \
'Workspaces contain SQLite databases including users (domain, usernames, password), ' \
'shares, hosts, dpapi secrets, etc.'
}
}
}.freeze- THEHARVESTER =
{
'enabled' => true,
'location' => {
'base' => '$XDG_DATA_HOME/theHarvester', # ~/.local/share/theHarvester
#
'stash' => {
'path' => '<base>/stash.sqlite',
'description' => 'File (SQLite DB) containing all the harvested addresses.'
}
}
}.freeze- MONGODB_COMPASS =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.mongodb/compass', # ~/.mongodb/compass
'logs' => {
'path' => '<base>/*_log.gz',
'description' => "Compressed log files.\n" \
'Credentials are redacted but logs still contain IP and port.'
}
}
}.freeze- MONGODB_MONGOSH =
{
'enabled' => true,
'location' => {
'base' => '$HOME/.mongodb/mongosh', # ~/.mongodb/mongosh
'logs' => {
'path' => '<base>/*_log',
'description' => "Log files.\n" \
'Contain at least information about target (IP, port).'
},
'history' => {
'path' => '<base>/mongosh_repl_history',
'description' => "History file.\n" \
'Contain the history of commands typed in mongosh shell.'
}
}
}.freeze- HOME_HISTORY_FILES =
{
'enabled' => true,
'location' => {
'base' => '$HOME', # ~/
'python' => {
'path' => '<base>/.python_history',
'description' => "Python history file.\n" \
'Contains all commands entered in the Python REPL.'
},
'postgresql' => {
'path' => '<base>/.psql_history',
'description' => "PostgreSQL history file.\n" \
'Contains all commands entered in the PostegreSQL shell.'
},
'ruby-irb' => {
'path' => '<base>/.irb_history',
'description' => "Ruby (IRB) hitory file.\n" \
'Contains all commands entered in the Ruby REPL.'
},
'ruby-rdbg' => {
'path' => '<base>/.rdbg_history',
'description' => "Ruby (rdbg) hitory file.\n" \
'Contains all commands entered in the Ruby debugger.'
},
'redis-cli' => {
'path' => '<base>/.rediscli_history',
'description' => "Redis CLI history file.\n" \
'Contains all commands entered in the redis-cli shell.'
},
'bash' => {
'enabled' => false,
'path' => '<base>/.bash_history',
'description' => "Bash history file.\n" \
'Contains all commands entered in the Bash shell.'
},
'zsh' => {
'enabled' => false,
'path' => '<base>/.zsh_history',
'description' => "Zsh history file.\n" \
'Contains all commands entered in the Zsh shell.'
},
'zsh-alt' => {
'enabled' => false,
'path' => '<base>/.histfile',
'description' => "Zsh history file.\n" \
"Contains all commands entered in the Zsh shell.\n" \
'Alternative Zsh history file location set by zsh-newuser-install in HISTFILE ' \
'environment variable.'
}
}
}.freeze