domingo, 4 de junho de 2023

Emulating Shellcodes - Chapter 1

 There are many basic shellcodes that can be emulated from the beginning from the end providing IOC like where is connecting and so on. But what can we do when the emulation get stuck at some point?

The console has many tools to interact with the emulator like it was a debugger but the shellcode really is not being executed so is safer than a debugger.

target/release/scemu -f ~/Downloads/shellcodes_matched/drv_shellcode.bin -vv 


In some shellcodes the emulator emulates millions of instructions without problem, but in this case at instruction number 176 there is a crash, the [esp + 30h] contain an unexpected 0xffffffff.

There are two ways to trace the memory, tracing all memory operations with -m or inspecting specific place with -i which allow to use registers to express the memory location:

target/release/scemu -f ~/Downloads/shellcodes_matched/drv_shellcode.bin  -i 'dword ptr [esp + 0x30]'


Now we know that in position 174 the value 0xffffffff is set.

But we have more control if we set the console at first instruction with -c 1 and set a memory breakpoint on write.




This "dec" instruction changes the zero for the 0xffffffff, and the instruction 90 is what actually is changing the stack value.

Lets trace the eax register to see if its a kind of counter or what is doing.


target/release/scemu -f ~/Downloads/shellcodes_matched/drv_shellcode.bin  --reg eax 


Eax is not a counter, is getting hardcoded values which is probably an API name:


In this case this shellcode depend on previous states and crash also in the debugger because of  register values. this is just an example of how to operate in cases where is not fully emulated.

In next chapter will see how to unpack and dump to disk using the emulator.


Related articles

Hacking Everything With RF And Software Defined Radio - Part 3


Reversing Device Signals with RFCrack for Red Teaming


This blog was researched and automated by:
@Ficti0n 
@GarrGhar 
Mostly because someone didn't want to pay for a new clicker that was lost LOL

Websites:
Console Cowboys: http://consolecowboys.com 
CC Labs: http://cclabs.io

CC Labs Github for RFCrack Code:
https://github.com/cclabsInc/RFCrack


Contrived Scenario: 

Bob was tasked to break into XYZ  corporation, so he pulled up the facility on google maps to see what the layout was. He was looking for any possible entry paths into the company headquarters. Online maps showed that the whole facility was surrounded by a security access gate. Not much else could be determined remotely so bob decided to take a drive to the facility and get a closer look. 

Bob parked down the street in view of the entry gate. Upon arrival he noted the gate was un-manned and cars were rolling up to the gate typing in an access code or simply driving up to the gate as it opening automatically.  Interestingly there was some kind of wireless technology in use. 

How do we go from watching a car go through a gate, to having a physical device that opens the gate?  

We will take a look at reversing a signal from an actual gate to program a remote with the proper RF signal.  Learning how to perform these steps manually to get a better understanding of how RF remotes work in conjunction with automating processes with RFCrack. 

Items used in this blog: 

Garage Remote Clicker: https://goo.gl/7fDQ2N
YardStick One: https://goo.gl/wd88sr
RTL SDR: https://goo.gl/B5uUAR


 







Walkthrough Video: 




Remotely sniffing signals for later analysis: 

In the the previous blogs, we sniffed signals and replayed them to perform actions. In this blog we are going to take a look at a signal and reverse it to create a physical device that will act as a replacement for the original device. Depending on the scenario this may be a better approach if you plan to enter the facility off hours when there is no signal to capture or you don't want to look suspicious. 

Recon:

Lets first use the scanning functionality in RFCrack to find known frequencies. We need to understand the frequencies that gates usually use. This way we can set our scanner to a limited number of frequencies to rotate through. The smaller rage of frequencies used will provide a better chance of capturing a signal when a car opens the target gate. This would be beneficial if the scanning device is left unattended within a dropbox created with something like a Kali on a Raspberry Pi. One could access it from a good distance away by setting up a wifi hotspot or cellular connection.

Based on research remotes tend to use 315Mhz, 390Mhz, 433Mhz and a few other frequencies. So in our case we will start up RFCrack on those likely used frequencies and just let it run. We can also look up the FCID of our clicker to see what Frequencies manufactures are using. Although not standardized, similar technologies tend to use similar configurations. Below is from the data sheet located at https://fccid.io/HBW7922/Test-Report/test-report-1755584 which indicates that if this gate is compatible with a universal remote it should be using the 300,310, 315, 372, 390 Frequencies. Most notably the 310, 315 and 390 as the others are only on a couple configurations. 




RFCrack Scanning: 

Since the most used ranges are 310, 315, 390 within our universal clicker, lets set RFCrack scanner to rotate through those and scan for signals.  If a number of cars go through the gate and there are no captures we can adjust the scanner later over our wifi connection from a distance. 

Destroy:RFCrack ficti0n$ python RFCrack.py -k -f 310000000 315000000 390000000
Currently Scanning: 310000000 To cancel hit enter and wait a few seconds

Currently Scanning: 315000000 To cancel hit enter and wait a few seconds

Currently Scanning: 390000000 To cancel hit enter and wait a few seconds

e0000000000104007ffe0000003000001f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c00000000000000000000000000000000000000000000e0007f037fe007fc00ff801ff07ffe0fffe1fffc3fff0001f00000000000000000000000000000000000000000000003809f641fff801ff003fe00ffc1fff83fff07ffe0fffc000f80000000000000000000000000000000000000000000003c0bff01bdf003fe007fc00ff83fff07ffe0fffc1fff8001f0000000000000000000000000000000000000000000000380000000000000000002007ac115001fff07ffe0fffc000f8000000000000000000000000000000000000000
Currently Scanning: 433000000 To cancel hit enter and wait a few seconds


Example of logging output: 

From the above output you will see that a frequency was found on 390. However, if you had left this running for a few hours you could easily see all of the output in the log file located in your RFCrack/scanning_logs directory.  For example the following captures were found in the log file in an easily parseable format: 

Destroy:RFCrack ficti0n$ cd scanning_logs/
Destroy:scanning_logs ficti0n$ ls
Dec25_14:58:45.log Dec25_21:17:14.log Jan03_20:12:56.log
Destroy:scanning_logs ficti0n$ cat Dec25_21\:17\:14.log
A signal was found on :390000000
c0000000000000000000000000008000000000000ef801fe003fe0fffc1fff83fff07ffe0007c0000000000000000000000000000000000000000000001c0000000000000000050003fe0fbfc1fffc3fff83fff0003e00000000000000000000000000000000000000000000007c1fff83fff003fe007fc00ff83fff07ffe0fffc1fff8001f00000000000000000000000000000000000000000000003e0fffc1fff801ff003fe007fc1fff83fff07ffe0fffc000f80000000000000000000000000000000000000000000001f07ffe0dffc00ff803ff007fe0fffc1fff83fff07ffe0007c000000000000000000000000000000000000000000
A signal was found on :390000000
e0000000000104007ffe0000003000001f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c00000000000000000000000000000000000000000000e0007f037fe007fc00ff801ff07ffe0fffe1fffc3fff0001f00000000000000000000000000000000000000000000003809f641fff801ff003fe00ffc1fff83fff07ffe0fffc000f80000000000000000000000000000000000000000000003c0bff01bdf003fe007fc00ff83fff07ffe0fffc1fff8001f0000000000000000000000000000000000000000000000380000000000000000002007ac115001fff07ffe0fffc000f8000000000000000000000000000000000000000



Analyzing the signal to determine toggle switches: 

Ok sweet, now we have a valid signal which will open the gate. Of course we could just replay this and open the gate, but we are going to create a physical device we can pass along to whoever needs entry regardless if they understand RF. No need to fumble around with a computer and look suspicious.  Also replaying a signal with RFCrack is just to easy, nothing new to learn taking the easy route. 

The first thing we are going to do is graph the capture and take a look at the wave pattern it creates. This can give us a lot of clues that might prove beneficial in figuring out the toggle switch pattern found in remotes. There are a few ways we can do this. If you don't have a yardstick at home you can capture the initial signal with your cheap RTL-SDR dongle as we did in the first RF blog. We could then open it in audacity. This signal is shown below. 



Let RFCrack Plot the Signal For you: 

The other option is let RFCrack help you out by taking a signal from the log output above and let RFCrack plot it for you.  This saves time and allows you to use only one piece of hardware for all of the work.  This can easily be done with the following command: 

Destroy:RFCrack ficti0n$ python RFCrack.py -n -g -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c
-n = No yardstick attached
-g = graph a single signal
-u = Use this piece of data




From the graph output we see 2 distinct crest lengths and some junk at either end we can throw away. These 2 unique crests correspond to our toggle switch positions of up/down giving us the following 2 possible scenarios using a 9 toggle switch remote based on the 9 crests above: 

Possible toggle switch scenarios:

  1. down down up up up down down down down
  2. up up down down down up up up up 

Configuring a remote: 

Proper toggle switch configuration allows us to program a universal remote that sends a signal to the gate. However even with the proper toggle switch configuration the remote has many different signals it sends based on the manufacturer or type of signal.  In order to figure out which configuration the gate is using without physically watching the gate open, we will rely on local signal analysis/comparison.  

Programming a remote is done by clicking the device with the proper toggle switch configuration until the gate opens and the correct manufacturer is configured. Since we don't have access to the gate after capturing the initial signal we will instead compare each signal from he remote to the original captured signal. 


Comparing Signals: 

This can be done a few ways, one way is to use an RTLSDR and capture all of the presses followed by visually comparing the output in audacity. Instead I prefer to use one tool and automate this process with RFCrack so that on each click of the device we can compare a signal with the original capture. Since there are multiple signals sent with each click it will analyze all of them and provide a percent likelihood of match of all the signals in that click followed by a comparing the highest % match graph for visual confirmation. If you are seeing a 80-90% match you should have the correct signal match.  

Note:  Not every click will show output as some clicks will be on different frequencies, these don't matter since our recon confirmed the gate is communicating on 390Mhz. 

In order to analyze the signals in real time you will need to open up your clicker and set the proper toggle switch settings followed by setting up a sniffer and live analysis with RFCrack: 

Open up 2 terminals and use the following commands: 

#Setup a sniffer on 390mhz
  Setup sniffer:      python RFCrack.py -k -c -f 390000000.     
#Monitor the log file, and provide the gates original signal
  Setup Analysis:     python RFCrack.py -c -u 1f0fffe0fffc01ff803ff007fe0fffc1fff83fff07ffe0007c -n.  

Cmd switches used
-k = known frequency
-c = compare mode
-f = frequency
-n = no yardstick needed for analysis

Make sure your remote is configured for one of the possible toggle configurations determined above. In the below example I am using the first configuration, any extra toggles left in the down position: (down down up up up down down down down)




Analyze Your Clicks: 

Now with the two terminals open and running click the reset switch to the bottom left and hold till it flashes. Then keep clicking the left button and viewing the output in the sniffing analysis terminal which will provide the comparisons as graphs are loaded to validate the output.  If you click the device and no output is seen, all that means is that the device is communicating on a frequency which we are not listening on.  We don't care about those signals since they don't pertain to our target. 

At around the 11th click you will see high likelihood of a match and a graph which is near identical. A few click outputs are shown below with the graph from the last output with a 97% match.  It will always graph the highest percentage within a click.  Sometimes there will be blank graphs when the data is wacky and doesn't work so well. This is fine since we don't care about wacky data. 

You will notice the previous clicks did not show even close to a match, so its pretty easy to determine which is the right manufacture and setup for your target gate. Now just click the right hand button on the remote and it should be configured with the gates setup even though you are in another location setting up for your test. 

For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.05
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.12
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.14
Percent Chance of Match for press is: 0.20
Percent Chance of Match for press is: 0.19
Percent Chance of Match for press is: 0.25
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png
----------Start Signals In Press--------------
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.93
Percent Chance of Match for press is: 0.97
Percent Chance of Match for press is: 0.90
Percent Chance of Match for press is: 0.88
Percent Chance of Match for press is: 0.44
----------End Signals In Press------------
For Visual of the last signal comparison go to ./imageOutput/LiveComparison.png


Graph Comparison Output for 97% Match: 







Conclusion: 


You have now walked through successfully reversing a toggle switch remote for a security gate. You took a raw signal and created a working device using only a Yardstick and RFCrack.  This was just a quick tutorial on leveraging the skillsets you gained in previous blogs in order to learn how to analyze  RF signals within embedded devices. There are many scenarios these same techniques could assist in.  We also covered a few new features in RF crack regarding logging, graphing and comparing signals.  These are just a few of the features which have been added since the initial release. For more info and other features check the wiki. 

Related word


  1. How To Hack
  2. Hack Website Online Tool
  3. Pentest Tools Url Fuzzer
  4. Bluetooth Hacking Tools Kali
  5. Tools Used For Hacking
  6. Hacking Tools For Pc
  7. Hacker Tools Hardware
  8. Hack Tools 2019
  9. Computer Hacker
  10. Hacker Hardware Tools
  11. New Hacker Tools
  12. Pentest Tools Find Subdomains
  13. Github Hacking Tools
  14. Computer Hacker
  15. Black Hat Hacker Tools
  16. Github Hacking Tools
  17. Pentest Tools Linux
  18. Top Pentest Tools
  19. Hacker Tools Github
  20. Hacker Tools For Windows
  21. Hackers Toolbox
  22. Pentest Tools Android
  23. Hack App
  24. Hack Tools Pc
  25. Hack Tool Apk
  26. Hack Apps
  27. Tools For Hacker
  28. Pentest Tools Online
  29. Hacking Tools 2020
  30. Hacks And Tools
  31. Hacking Tools Mac
  32. Hak5 Tools
  33. Usb Pentest Tools
  34. Hacking Tools Software
  35. Install Pentest Tools Ubuntu
  36. Hacking Tools
  37. Physical Pentest Tools
  38. Hacker Tools Free
  39. Hacking Tools For Pc
  40. Pentest Tools Apk
  41. Hacker Tools 2019
  42. Hackers Toolbox
  43. Hacker Tools Apk
  44. Hacker Tools Mac
  45. Hack Tools For Pc
  46. Best Hacking Tools 2020
  47. Tools 4 Hack
  48. Hacking Tools For Beginners
  49. New Hack Tools
  50. Hacker Hardware Tools
  51. Wifi Hacker Tools For Windows
  52. What Is Hacking Tools
  53. Best Hacking Tools 2019
  54. Hack Tools 2019
  55. Hacking Tools Windows
  56. Pentest Tools Port Scanner
  57. Hack And Tools
  58. Hack Tools For Windows
  59. Pentest Tools Linux
  60. Hacking Tools Online
  61. Hacking Tools Download
  62. Pentest Tools For Ubuntu
  63. Game Hacking
  64. Pentest Tools Subdomain
  65. Hacker Security Tools
  66. Hackrf Tools
  67. Hacking Tools For Beginners
  68. Ethical Hacker Tools
  69. How To Make Hacking Tools
  70. Easy Hack Tools
  71. Tools 4 Hack
  72. Hacker Tools Github
  73. Top Pentest Tools
  74. Hacking Tools Windows 10
  75. New Hack Tools
  76. Pentest Tools For Windows
  77. Hack Tools 2019
  78. Hacker Tools Free
  79. Hacker Tools Windows
  80. Hacker Techniques Tools And Incident Handling
  81. Hacker Tools Online
  82. Hacking Tools Download
  83. Termux Hacking Tools 2019
  84. Hacking Tools
  85. Pentest Tools
  86. Pentest Tools For Mac
  87. Pentest Tools Port Scanner
  88. Hacker Tools Windows
  89. Hackrf Tools
  90. Pentest Tools
  91. Hack Tools
  92. Ethical Hacker Tools
  93. Hacker Tools For Windows
  94. Pentest Tools For Mac
  95. Pentest Tools Online
  96. Hack Tool Apk
  97. Pentest Tools Download

Reversing Rust String And Str Datatypes

Lets build an app that uses several data-types in order to see how is stored from a low level perspective.

Rust string data-types

The two first main objects are "str" and String, lets check also the constructors.




Imports and functions

Even such a basic program links several libraries and occupy 2,568Kb,  it's really not using the imports and expots the runtime functions even the main. 


Even a simple string operation needs 544 functions on rust:


Main function

If you expected see a clear main function I regret to say that rust doesn't seem a real low-level language In spite of having a full control of the memory.


Ghidra turns crazy when tries to do the recursive parsing of the rust code, and finally we have the libc _start function, the endless loop after main is the way Ghidra decompiles the HLT instruction.


If we jump to main, we see a function call, the first parameter is rust_main as I named it below:



If we search "hello world" on the Defined Strings sections, matches at the end of a large string


After doing "clear code bytes" we can see the string and the reference:


We can see that the literal is stored in an non null terminated string, or most likely an array of bytes. we have a bunch of byte arrays and pointed from the code to the beginning.
Let's follow the ref.  [ctrl]+[shift]+[f] and we got the references that points to the rust main function.


After several naming thanks to the Ghidra comments that identify the rust runtime functions, the rust main looks more understandable.
See below the ref to "hello world" that is passed to the string allocated hard-coding the size, because is non-null terminated string and there is no way to size this, this also helps to the rust performance, and avoid the c/c++ problems when you forgot the write the null byte for example miscalculating the size on a memcpy.


Regarding the string object, the allocator internals will reveal the structure in static.
alloc_string function call a function that calls a function that calls a function and so on, so this is the stack (also on static using the Ghidra code comments)

1. _$LT$alloc..string..String$u20$as$u20$core..convert..From$LT$$RF$str$GT$$GT$::from::h752d6ce1f15e4125
2. alloc::str::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$str$GT$::to_owned::h649c495e0f441934
3. alloc::slice::_$LT$impl$u20$alloc..borrow..ToOwned$u20$for$u20$$u5b$T$u5d$$GT$::to_owned::h1eac45d28
4. alloc::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::to_vec::h25257986b8057640
5. alloc::slice::hack::to_vec::h37a40daa915357ad
6. core::slice::_$LT$impl$u20$$u5b$T$u5d$$GT$::len::h2af5e6c76291f524
7. alloc::vec::Vec$LT$T$GT$::extend_from_slice::h190290413e8e57a2
8. _$LT$alloc..vec..Vec$LT$T$GT$$u20$as$u20$alloc..vec..SpecExtend$LT$$RF$T$C$core..slice..Iter$LT$T$GT$$GT$$GT$::spec_extend::h451c2f92a49f9caa
...


Well I'm not gonna talk about the performance impact on stack but really to program well reusing code grants the maintainability and its good, and I'm sure that the rust developed had measured that and don't compensate to hardcode directly every constructor.

At this point we have two options, check the rust source code, or try to figure out the string object in dynamic with gdb.

Source code

Let's explain this group of substructures having rust source code in the hand.
The string object is defined at string.rs and it's simply an u8 type vector.



And the definition of vector can be found at vec.rs  and is composed by a raw vector an the len which is the usize datatype.



The RawVector is a struct that helds the pointer to the null terminated string stored on an Unique object, and also contains the allocation pointer, here raw_vec.rs definition.



The cap field is the capacity of the allocation and a is the allocator:



Finally the Unique object structure contains a pointer to the null terminated string, and also a one byte marker core::marker::PhantomData



Dynamic analysis

The first parameter of the constructor is the interesting one, and in x64 arch is on RDI register, the extrange sequence RDI,RSI,RDX,RCX it sounds like ACDC with a bit of imagination (di-si-d-c)

So the RDI parámeter is the pointer to the string object:



So RDI contains the stack address pointer that points the the heap address 0x5578f030.
Remember to disable ASLR to correlate the addresses with Ghidra, there is also a plugin to do the synchronization.

Having symbols we can do:
p mystring

and we get the following structure:

String::String {
  vec: alloc::vec::Vec {
    buf: alloc::raw_vec::RawVec {
      ptr: core::ptr::unique::Unique {
        pointer: 0x555555790130 "hello world\000",
        _marker: core::marker::PhantomData
     },
     cap: 11,
     a: alloc::alloc::Global
   },
   len: 11
  }
}

If the binary was compiled with symbols we can walk the substructures in this way:

(gdb) p mystring.vec.buf.ptr
$6 = core::ptr::unique::Unique {pointer: 0x555555790130 "hello world\000", _marker: core::marker::PhantomData}

(gdb) p mystring.vec.len

$8 = 11

If we try to get the pointer of each substructure we would find out that the the pointer is the same:


If we look at this pointer, we have two dwords that are the pointer to the null terminated string, and also 0xb which is the size, this structure is a vector.


The pionter to the c string is 0x555555790130




This seems the c++ string but, let's look a bit deeper:

RawVector
  Vector:
  (gdb) x/wx 0x7fffffffdf50
  0x7fffffffdf50: 0x55790130  -> low dword c string pointer
  0x7fffffffdf54: 0x00005555  -> hight dword c string pointer
  0x7fffffffdf58: 0x0000000b  -> len

0x7fffffffdf5c: 0x00000000
0x7fffffffdf60: 0x0000000b  -> low cap (capacity)
0x7fffffffdf64: 0x00000000  -> hight cap
0x7fffffffdf68: 0xf722fe27  -> low a  (allocator)
0x7fffffffdf6c: 0x00007fff  -> hight a
0x7fffffffdf70: 0x00000005 

So in this case the whole object is in stack except the null-terminated string.




More information


  1. Pentest Tools Linux
  2. Pentest Tools Website Vulnerability
  3. Hack Website Online Tool
  4. Pentest Tools
  5. Hacker Tools For Mac
  6. Hacker Tools
  7. New Hacker Tools
  8. Hacker Tools Free Download
  9. Computer Hacker
  10. Pentest Tools Download
  11. Hacking Tools 2019
  12. World No 1 Hacker Software
  13. Pentest Tools For Mac
  14. Hacker Security Tools
  15. Hacking Tools For Mac
  16. Pentest Tools Windows
  17. New Hack Tools
  18. Hacking Tools Github
  19. Hacker Tools Free
  20. Hack Tools For Ubuntu
  21. New Hacker Tools
  22. Kik Hack Tools
  23. Pentest Tools For Windows
  24. Pentest Tools Windows
  25. Pentest Tools Online
  26. Hacker Search Tools
  27. Hacking Tools For Windows Free Download
  28. Pentest Tools Website
  29. Pentest Tools List
  30. Tools 4 Hack
  31. Best Hacking Tools 2019
  32. Install Pentest Tools Ubuntu
  33. Hack Tools Download
  34. Pentest Tools Find Subdomains
  35. Hack Tools Github
  36. Hacker Tools For Ios
  37. Hacking Tools For Pc
  38. Hacker Tools Software
  39. Hacker Tools Online
  40. Pentest Tools
  41. Hacker Hardware Tools
  42. Pentest Tools Port Scanner
  43. Hacker Tools
  44. Hacking Tools
  45. Hacking Tools Windows 10
  46. Hacking Tools Software
  47. Hacking Tools Windows
  48. Hack Website Online Tool
  49. Hacking Tools For Windows 7
  50. Easy Hack Tools
  51. Pentest Tools Kali Linux
  52. Hacker Tools Software
  53. Hacking Tools For Pc
  54. Hacker Tools 2020
  55. Hack Tools 2019
  56. Hacking Tools For Pc
  57. Hacker Tools Free Download
  58. Hacking Tools Software
  59. Hacking Tools Windows
  60. Hacker Tools Windows
  61. Best Pentesting Tools 2018
  62. Hack Tools
  63. Hacking Tools For Mac
  64. Hak5 Tools
  65. Hacking Tools For Kali Linux
  66. Pentest Tools Subdomain
  67. Install Pentest Tools Ubuntu
  68. Hack And Tools
  69. Blackhat Hacker Tools
  70. Hacker Tools Free
  71. Hack Tools Github
  72. Hack Tools For Games
  73. Hacker Techniques Tools And Incident Handling
  74. Pentest Tools Free
  75. Hack Tool Apk
  76. Hacker Tools For Ios
  77. Pentest Tools Free
  78. Pentest Tools For Windows
  79. Hack Tools For Games
  80. Usb Pentest Tools
  81. Hacking Tools Mac
  82. Computer Hacker
  83. Hacker Tools For Ios
  84. Hacker Techniques Tools And Incident Handling
  85. Pentest Tools For Mac
  86. Best Hacking Tools 2019
  87. Hacking Tools Software
  88. Hack Tools For Games
  89. Pentest Tools Nmap
  90. Pentest Reporting Tools
  91. Hacking Tools Name
  92. Hacker Tools Apk Download
  93. Hacking Tools Usb
  94. Pentest Tools Alternative
  95. Hacker Search Tools
  96. Best Pentesting Tools 2018
  97. Hacker Tools For Ios
  98. How To Make Hacking Tools
  99. Hackrf Tools
  100. Hack Tool Apk No Root
  101. New Hack Tools
  102. Nsa Hacker Tools
  103. Hack Tool Apk
  104. Hack Tools Download
  105. Android Hack Tools Github
  106. Game Hacking
  107. New Hack Tools
  108. Hacking Tools For Windows 7
  109. Hack Tool Apk No Root
  110. Hacking Tools For Games
  111. Hack App
  112. Hacking Tools For Pc
  113. Hacker Tools Apk Download
  114. Hacking Tools 2019
  115. New Hack Tools
  116. Pentest Tools Free
  117. Best Pentesting Tools 2018
  118. Best Pentesting Tools 2018
  119. Pentest Tools Windows
  120. Best Hacking Tools 2020
  121. Pentest Reporting Tools
  122. Hack Tools Mac
  123. Hacker Tools 2020
  124. Pentest Tools Download
  125. Hak5 Tools
  126. Hacker Techniques Tools And Incident Handling
  127. Hacking Tools For Beginners
  128. Hacking Tools For Pc
  129. Hack Rom Tools
  130. Hack Apps
  131. Wifi Hacker Tools For Windows
  132. Hack Tools For Mac
  133. Pentest Tools Open Source
  134. New Hack Tools
  135. Hacker Tools Free Download
  136. Pentest Tools
  137. Hackers Toolbox
  138. Ethical Hacker Tools
  139. Pentest Tools Download
  140. Pentest Reporting Tools
  141. Hacking Tools For Kali Linux
  142. Pentest Tools Find Subdomains
  143. Beginner Hacker Tools
  144. How To Install Pentest Tools In Ubuntu
  145. New Hack Tools
  146. Game Hacking
  147. Hacking Tools Software
  148. Hack Tools For Ubuntu
  149. Pentest Tools Alternative
  150. Hacking App
  151. What Is Hacking Tools
  152. Hack Tools For Ubuntu
  153. Ethical Hacker Tools
  154. Hack Apps
  155. Android Hack Tools Github
  156. Pentest Tools Nmap
  157. Hacker Techniques Tools And Incident Handling
  158. Best Hacking Tools 2020
  159. Hacking App
  160. Hacking Tools Software
  161. Hack Tools For Games
  162. Easy Hack Tools
  163. Hacker Tools Linux
  164. Nsa Hack Tools Download
  165. Pentest Tools List
  166. Hacking Tools Mac
  167. Hack App
  168. Hacker Tools 2020
  169. Black Hat Hacker Tools
  170. Hacking Tools Kit
  171. Nsa Hack Tools
  172. Hacking Tools Mac
  173. Hacking Tools Windows 10
  174. Pentest Box Tools Download
  175. World No 1 Hacker Software
  176. Easy Hack Tools
  177. Pentest Tools Nmap