Skip to content

RegX - A Flexible Potfile Parsing Tool

License

Notifications You must be signed in to change notification settings

cyclone-github/regx

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Readme Card

RegX

A Flexible Potfile Parsing Tool

Pronounced "Reg-X" as in Regex eXtractor

Why use RegX instead of grep, ripgrep, etc?

Unlike general-purpose tools like grep or ripgrep, RegX offers a more nuanced approach that was developed specifically for parsing hashcat potfiles that contain multiple hash algo's. While this can be done with grep, compiling and testing regular expressions, especially for more complex hashes, can be cumbersome and error prone. See examples below.

RegX vs grep (egrep):

  • Parse md5 (hex32) hashes:
    • grep
      • egrep '[a-f0-9]{32}' file.txt
    • RegX
      • ./regx.bin -f file.txt -m hex32
  • Parse bcrypt hashes:
    • grep
      • egrep '\$2[a-zA-Z]{1}\$[0-9]{2}\$[[:print:]]{53}' file.txt
    • RegX
      • ./regx.bin -f file.txt -m 3200
  • Parse Django (PBKDF2-SHA256) hashes:
    • grep
      • egrep 'pbkdf2_sha256\$[0-9]{1,6}\$[[:print:]]{57}' file.txt
    • RegX
      • ./regx.bin -f file.txt -m 10000
  • Parse Bitcoin hashes:
    • grep
      • egrep '\$bitcoin\$[0-9]{1,3}\$[a-f0-9]{40,}\$[0-9]{2}\$[a-f0-9]{2,}\$[0-9]{2,}\$[0-9]{1,}\$[0-9]{1,}\$[0-9]{1,}\$[0-9]{1,}' file.txt
    • RegX
      • ./regx.bin -f file.txt -m 11300

As shown in the examples above, RegX's built-in support for popular hashcat algorithms makes parsing hashes seamless.

RegX also supports a wide range of regex patterns compatible with RE2, by using option: -r {regex_pattern}

More info on RE2: https://github.com/google/re2/wiki/Syntax

Usage Instructions:

  • Parse all hex 32 hashes (md5, md4, ntlm, etc), both salted and non-salted:
    • ./regx.bin -f file.txt -m hex32
  • Parse bcrypt hashes by hashcat mode {-m 3200}:
    • ./regx.bin -f file.txt -m 3200
  • Parse bcrypt hashes by algo name {-m bcrypt}:
    • ./regx.bin -f file.txt -m bcrypt
  • Parse a custom hex length hash (where {nth} equals length):
    • ./regx.bin -f file.txt -m hex{nth}
  • Use custom RE2 regex with -r {regex}:
    • ./regx.bin -f file.txt -r '[a-fA-F0-9]{32}'
  • Run ./regx.bin -help to see a list of all options

Supported hash algorithms (more will be added):

  • All HEX algos:
    • -m hex32 covers all HEX32 hashes such as md5, md5, ntlm, etc
    • -m hex40 covers all HEX40 hashes such as sha1, mysql5, ripemd-160, etc
    • custom hex lengths can be given as well, -m hex56 would cover sha224 hashes, etc
Mode: Hashcat Mode: HEX
crc32 11500 hex8
crc64 28000 hex16
md4 900 hex32
md5 0 hex32
ntlm 1000 hex32
ripemd-160 6000 hex40
sha1 100 hex40
mysql5 300 hex40
sha224 1300 hex56
sha256 1400 hex64
sha384 10800 hex96
sha512 1700 hex128
metamask 26600
bitcoin 11300
pbkdf2sha256 10000
bcrypt 3200
sha512crypt 1800
md5crypt 500
phpass 400

Compile from source:

  • If you want the latest features, compiling from source is the best option since the release version may run several revisions behind the source code.
  • This assumes you have Go and Git installed
    • git clone https://github.com/cyclone-github/regx.git
    • cd regx
    • go mod init regx
    • go mod tidy
    • go build -ldflags="-s -w" .
  • Compile from source code how-to:

Change Log:

Antivirus False Positives:

  • Several antivirus programs on VirusTotal incorrectly detect compiled Go binaries as a false positive. This issue primarily affects the Windows executable binary, but is not limited to it. If this concerns you, I recommend carefully reviewing the source code, then proceed to compile the binary yourself.
  • Uploading your compiled binaries to https://virustotal.com and leaving an up-vote or a comment would be helpful as well.