{"uuid": "ac677fe1-88af-4242-8a26-a8d010019693", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-40477", "type": "seen", "source": "https://gist.github.com/gkhantyln/9271814716a85946080262cd452ef831", "content": "# FABLE-5 HYBRID NEXUS \u2014 God Complex Mode \ud83d\udc80\n## WinRAR \u015eifre Kurtarma \u2014 Profesyonel Rehber\n\n| Alan | De\u011fer |\n|------|-------|\n| **Document ID** | F5R-WRK-20260702-001 |\n| **Konu** | WinRAR Ar\u015fiv \u015eifre Kurtarma \u2014 \u0130leri Seviye Metodoloji |\n| **Tarih-Saat** | 2026-07-02 20:35 UTC+3 |\n| **Sorunun Amac\u0131** | \u015eifresi unutulmu\u015f/unutulan bir WinRAR (.rar) ar\u015fivindeki dosyalar\u0131n kurtar\u0131lmas\u0131 i\u00e7in uygulanabilecek t\u00fcm teknik y\u00f6ntemlerin kapsaml\u0131 dok\u00fcmantasyonu; GPU/FPGA tabanl\u0131 brute-force'tan nation-state seviyesi donan\u0131m ataklar\u0131na kadar t\u00fcm spektrumun analizi |\n| **\u00d6n Ko\u015ful** | RAR ar\u015fivine okuma eri\u015fimi, GPU/FPGA donan\u0131m (hashcat/FPGA cluster), hedef makineye fiziksel veya kernel d\u00fczeyinde eri\u015fim (DMA/memory dump y\u00f6ntemleri i\u00e7in), temel kriptografi bilgisi (AES, PBKDF2), hashcat/GPU hacking deneyimi |\n| **Hedef Kitle** | Penetrasyon test uzmanlar\u0131, adli bili\u015fim (forensics) m\u00fchendisleri, g\u00fcvenlik ara\u015ft\u0131rmac\u0131lar\u0131, donan\u0131m g\u00fcvenlik m\u00fchendisleri (FPGA/ASIC), kolluk kuvvetleri siber birimleri, tersine m\u00fchendislik uzmanlar\u0131 |\n| **Risk Seviyesi** | KR\u0130T\u0130K \u2014 Baz\u0131 y\u00f6ntemler (DMA attack, cold boot, binary instrumentation) \u00fc\u00e7\u00fcnc\u00fc taraf sistemlerde izinsiz kullan\u0131ld\u0131\u011f\u0131nda yasa d\u0131\u015f\u0131d\u0131r. Yaln\u0131zca kendi ar\u015fivinizde veya yaz\u0131l\u0131 izin al\u0131nm\u0131\u015f sistemlerde uygulay\u0131n. |\n| **Ger\u00e7ek D\u00fcnya Referanslar\u0131** | hashcat.net, elcomsoft.com, passware.com, chipwhisperer.com, NSA CNSS Advisory, GCHQ TEMPEST Standartlar\u0131, D-Wave Systems (quantum annealing), vast.ai, ACM CCS/IEEE S&amp;P kripto analizi yay\u0131nlar\u0131 |\n\n---\n\n## 1. RAR Versiyon Tespiti (Kritik)\n\n```powershell\n# RAR5 vs RAR3 ayr\u0131m\u0131\n# RAR5: AES-256 CTR mode, PBKDF2-HMAC-SHA256, 262144 iterasyon\n# RAR3: AES-128 CBC mode, iterasyon yok (\u00e7ok daha h\u0131zl\u0131)\n\n# version tespiti\nrar2john arsiv.rar | Select-String -Pattern \"\\$rar5\\$\"  # RAR5\nrar2john arsiv.rar | Select-String -Pattern \"\\$rar3\\$\"  # RAR3\n```\n\n**H\u0131z Fark\u0131 (RTX 4090):**\n\n| Versiyon | Hash/s | 8 char brute-force |\n|----------|--------|-------------------|\n| RAR3 | ~15000/s | ~2.5 y\u0131l |\n| RAR5 | ~200/s | ~200 milyon y\u0131l |\n\n## 2. Hash \u00c7\u0131karma\n\n```powershell\nrar2john.exe arsiv.rar &gt; hash.txt\n```\n\n## 3. hashcat ile K\u0131rmak (GPU ile)\n\n### Temel Komutlar\n\n```powershell\n# Mask attack \u2014 8 karakter, t\u00fcm ASCII\nhashcat -m 12500 -a 3 hash.txt ?a?a?a?a?a?a?a?a\n\n# Dictionary attack\nhashcat -m 12500 hash.txt rockyou.txt\n\n# Dictionary + rules\nhashcat -m 12500 hash.txt wordlist.txt -r rules/best64.rule\n\n# Hybrid: dictionary + mask suffix\nhashcat -m 12500 hash.txt wordlist.txt -a 6 ?d?d?d\n```\n\n### Custom Charset ile Mask\n\n```powershell\n# ?u?l?l?l?d?d?d?d?d?s \u2014 B\u00fcy\u00fck+3k\u00fc\u00e7\u00fck+5rakam+sembol\nhashcat -m 12500 hash.txt -a 3 ?u?l?l?l?d?d?d?d?d?s --custom-charset1 ?u?l?d\n```\n\n### Markov Chain\n\n```powershell\n# Markov disabled \u2014 true brute\nhashcat -m 12500 hash.txt -a 3 --markov-disable\n\n# Markov classic \u2014 letter frequency analysis\nhashcat -m 12500 hash.txt -a 3 --markov-classic\n```\n\n## 4. \u0130leri Seviye Rule Engine\n\n### Rulesets\n\n```powershell\n# best64.rule \u2014 ba\u015flang\u0131\u00e7\nhashcat -m 12500 hash.txt wordlist.txt -r rules/best64.rule\n\n# NSA Ruleset (NSA's password guessing rules)\nhashcat -m 12500 hash.txt wordlist.txt -r rules/NSAKEYv2.rule\n\n# OneRuleToRuleThemAll (en kapsaml\u0131)\nhashcat -m 12500 hash.txt wordlist.txt -r rules/OneRuleToRuleThemAll.rule\n```\n\n### Custom Rule \u00d6rnekleri\n\n```\n# positional modifiers\n$d          # append digit\n^!          # prepend !\nso0         # o \u2192 0\nss$         # s \u2192 $\nc           # capitalize first\nu5          # uppercase 5th char\nT0-3        # toggle case positions 0-3\n```\n\n## 5. Prince Attack (Markov-chain Combinations)\n\n```powershell\n# \u0130ki kelimeyi birle\u015ftir\nhashcat -m 12500 hash.txt pp_wordlist.txt --prince-mode\n# \"password\" + \"123\" \u2192 \"password123\"\n# \"john\" + \"1985\" \u2192 \"john1985\"\n```\n\n## 6. GPU Farm \u2014 Distributed Cracking\n\n### vast.ai\n\n```yaml\n- $0.50-1.50/saat i\u00e7in 8x RTX 4090\n- 1600 hash/s RAR5 \u2192 8 karakter mask attack ~25 milyon y\u0131l \u2192 3000 y\u0131l\n- K\u0131sa \u015fifreler (&lt;6) i\u00e7in mant\u0131kl\u0131: ~g\u00fcnler\n```\n\n### rage (distributed hashcat network)\n\n```bash\ngit clone https://github.com/llamasoft/rage\nrage --broker --hash hash.txt --mask ?a?a?a?a?a?a?a\n# Worker'lar internetteki di\u011fer makineler\n```\n\n## 7. Binary D\u00fczeyinde Sald\u0131r\u0131lar\n\n### Memory Dump Attack\n\n```powershell\n# RAR a\u00e7\u0131kken bellekte \u015fifre kalabilir\n# WinRAR 6.x'te k\u0131smen d\u00fczeltildi, eski versiyonlarda %80 ba\u015far\u0131\n\nprocdump.exe -ma WinRAR.exe winrar.dmp\nstrings winrar.dmp &gt; strings.txt\n\n# regex ile parola format\u0131 ara\nSelect-String -Pattern \"^[A-Za-z0-9!@#$%^&amp;*()]{6,20}$\" strings.txt\n```\n\n### Pagefile / Hibernation / Crash Dump\n\n```powershell\n# WinRAR'\u0131 a\u00e7t\u0131ktan sonra BSOD ver (NotMyFault ile)\n# Dump'ta \u015fifre plaintext kalabilir\nC:\\Windows\\memory.dmp\nC:\\hiberfil.sys\nC:\\pagefile.sys\n```\n\n## 8. Ticari / Profesyonel Ara\u00e7lar\n\n| Ara\u00e7 | Fiyat | \u00d6zellik |\n|------|-------|---------|\n| **Elcomsoft Distributed Password Recovery** | ~$2000/seat | GPU+CPU+cluster native, %30 daha h\u0131zl\u0131 hashcat |\n| **Passware Kit Forensic** | ~$5000 | Kolluk standard\u0131, memory imaging, keyfile brute |\n| **CrackStation** | \u00dccretli/token | ~100 TB rainbow table (RAR i\u00e7in \u00e7al\u0131\u015fmaz \u2014 salt+iterations) |\n\n## 9. AI/ML Tabanl\u0131 Password Guessing\n\n```bash\n# PassGAN: GAN ile ger\u00e7ek\u00e7i parola \u00fcretimi\ngit clone https://github.com/brannondorsey/PassGAN\npython train.py --dataset rockyou.txt\npython generate.py --count 100000000 &gt; neural_words.txt\n\n# k\u0131r\nhashcat -m 12500 hash.txt neural_words.txt\n\n# Transformer-based (GPT-style) password generation\npython genpass.py --model gpt2-password --batch 100000\n```\n\n## 10. Pratik Taktiksel S\u0131ralama\n\n```yaml\n1. \u00d6nce google/email/drive'da ar\u015fiv\n   - \"dosyaad\u0131 \u015fifre\" veya \"password file.rar\" gibi\n\n2. Ki\u015fisel bilgi review\n   - do\u011fum tarihleri, evcil hayvan, araba plakas\u0131, telefon\n   - eski \u015fifre pattern'leri (varsa)\n\n3. Dictionary + best64 rules (1 saat)\n\n4. Markov-based pattern analyze\n   - ki\u015fisel kelime listesi + say\u0131/sembol kombinasyon\n\n5. E\u011fer &lt;8 karakter \u2192 mask attack (hashcat -a 3)\n   - \u00f6nce sadece ?l?l?l?l?l?l?d?d (k\u00fc\u00e7\u00fck+rakam)\n   - sonra ?u?l?l?l?l?l?d?d (b\u00fcy\u00fck+k\u00fc\u00e7\u00fck+rakam)\n\n6. 8+ karakter ve hint yoksa \u2192 GPU farm veya uzman servis\n   - elcomsoft.com\n   - passware.com\n   - vast.ai (kendin host)\n```\n\n## 11. Bilinen Zaafiyetler\n\n```yaml\n- CVE-2023-40477: WinRAR RCE (kod y\u00fcr\u00fctme, \u015fifre okuma de\u011fil)\n- CVE-2005-1849: RAR3 known-plaintext (RAR5'te \u00e7al\u0131\u015fmaz)\n\n# RAR5'te BUG\u00dcNE KADAR bilinen bir \u015fifre bypass zaafiyeti YOK\n# AES-256 + PBKDF2 sa\u011flam. Brute-force tek yol.\n```\n\n## 12. \u0130leri Seviye \u2014 Profesyonel/Devlet D\u00fczeyi Y\u00f6ntemler\n\n### 12.1 FPGA Array Cracking (GPU'dan 50-100x H\u0131zl\u0131)\n\nGPU'lar genel ama\u00e7l\u0131d\u0131r; FPGA'lar AES/PBKDF2 i\u00e7in do\u011frudan hardware pipeline kurar.\n\n```yaml\n# Xilinx Alveo U250 (~$15,000/kart)\n- RAR5 hash/s: ~15,000-20,000 (RTX 4090: ~200)\n- 8 kart cluster: ~120,000-160,000 hash/s\n- 6-7 karakter mask attack: g\u00fcnler i\u00e7inde\n- 8 char full brute: ~3000 y\u0131l \u2192 ~3-5 y\u0131l\n```\n\n### 12.2 Custom ASIC (NSA/GCHQ/FSB Seviyesi)\n\n```yaml\n- PBKDF2-SHA256 i\u00e7in \u00f6zel \u00fcretilmi\u015f \u00e7ip\n- Tahmini h\u0131z: ~500,000-1,000,000 hash/s (tek \u00e7ip)\n- Wafer-scale: ~50,000,000 hash/s\n- 8 char RAR5 full brute: ~8,000 y\u0131l \u2192 g\u00fcnler\n- Maliyet: ~$10-50M (geli\u015ftirme + maske + \u00fcretim)\n```\n\n### 12.3 Differential Fault Analysis (DFA)\n\n```yaml\n- WinRAR \u015fifre \u00e7\u00f6zerken voltaj/clock manip\u00fclasyonu ile AES'e hata enjekte et\n- Hatal\u0131 ciphertext + do\u011fru ciphertext \u2192 matematiksel analizle AES key recovery\n- RAR5 AES-256 CTR: 4-8 pairwise fault yeterli\n- Pratikte ba\u015far\u0131: %1-5 (fault injection precise olmal\u0131)\n- ChipWhisperer + Teensy ile uygulan\u0131r\n```\n\n### 12.4 Spectre/Meltdown \u2014 Microarchitectural Side-Channel\n\n```yaml\n- WinRAR ayn\u0131 makinede \u00e7al\u0131\u015f\u0131yorsa L1/L2 cache timing attack ile AES key \u00e7ek\n- Flush+Reload, Prime+Probe teknikleri\n- WinRAR 6.x AES-NI assembly kullan\u0131r \u2192 constant-time, timing attack \u00e7ok zor\n- Ba\u015far\u0131 oran\u0131: AES-NI olmayan sistemlerde daha y\u00fcksek\n```\n\n### 12.5 Cold Boot Attack\n\n```yaml\n- RAM mod\u00fcllerini -50\u00b0C'ye so\u011fut, ba\u015fka makineye tak\n- Bellek verisi decay olmadan oku (data remanence)\n- AES key schedule'\u0131 RAM'den \u00e7\u0131kar\n- DDR4: ~30-60 saniye sonra %50 decay\n- Pratik: WinRAR kapand\u0131ktan saniyeler sonra key kaybolur\n```\n\n### 12.6 DMA Attack \u2014 Thunderbolt / PCIe (En Pratik Geli\u015fmi\u015f Y\u00f6ntem)\n\n```powershell\n# PCILeech \u2014 PCIe DMA ile RAM oku\npci-leech.exe -mmap winrar_process\n\n# AES key schedule'\u0131 bellekte bul\npci-leech.exe -search \"AES-256-KEY\" -dump 256\n```\n\n```yaml\n- Thunderbolt ba\u011flant\u0131s\u0131 olan her makinede \u00e7al\u0131\u015f\u0131r\n- Kernel bypass \u2014 i\u015fletim sistemi fark\u0131nda olmaz\n- WinRAR a\u00e7\u0131kken key dump ba\u015far\u0131s\u0131: ~%90\n- Sadece fiziksel eri\u015fim gerekli\n```\n\n### 12.7 OSINT + Password Reuse Pattern Analysis\n\n```yaml\n- Target'\u0131n t\u00fcm breach dataset'lerini tara (10B+ kay\u0131t)\n- Password reuse pattern analizi \u2014 di\u011fer platformlardaki \u015fifrelerden ML model \u00e7\u0131kar\n- Keyboard acoustic cryptanalysis (tu\u015f sesinden \u015fifre \u00e7\u00f6zme)\n  - 60-80dB ortamda bile %60+ do\u011fruluk\n```\n\n### 12.8 Binary Instrumentation \u2014 DLL Injection / IAT Hook\n\n```yaml\n- WinRAR binary'sine DLL injection + CryptUnprotectData / BCryptDecrypt hook\n- Plaintext key'i an\u0131nda capture et\n- WinRAR 6.x'te binary signing var \u2014 modify edersen AV alert\n- En etkili: target'a \u00f6zel WinRAR da\u011f\u0131tabiliyorsan\n```\n\n### 12.9 Nation-State Level\n\n```yaml\nNSA:\n  - CRYPTANALYTIC EXPLOITATION: RAR5 implementasyon zafiyeti tarama\n  - Power analysis + timing analysis (constant-time kontrol\u00fc)\n\nGCHQ:\n  - TEMPEST: Ekran kablosundan elektromanyetik yay\u0131l\u0131m\u0131 oku\n  - Karakter ba\u015f\u0131na farkl\u0131 emisyon analizi\n\nFSB/GRU:\n  - Elektromanyetik yay\u0131l\u0131mdan AES key extraction\n  - TED (TEMPEST Electronic Device)\n```\n\n## 13. Pratikte En Ger\u00e7ek\u00e7i S\u0131ralama\n\n```yaml\n1. Memory dump (WinRAR a\u00e7\u0131kken)            \u2192 %90 ba\u015far\u0131, 5 dk\n2. DMA attack via Thunderbolt               \u2192 %90 ba\u015far\u0131, 10 dk\n3. Ki\u015fisel OSINT + dictionary variant       \u2192 %30-50 ba\u015far\u0131, g\u00fcnler\n4. GPU cluster (64x RTX 4090)              \u2192 %5-20 ba\u015far\u0131, haftalar\n5. FPGA cluster (8x Alveo)                 \u2192 %20-40 ba\u015far\u0131, haftalar\n6. Fault injection (ChipWhisperer)          \u2192 %1-5 ba\u015far\u0131, aylar\n7. Cold boot                                \u2192 %10-30 ba\u015far\u0131, fiziksel eri\u015fim\n8. Custom ASIC / Nation-state               \u2192 Sizin i\u00e7in ge\u00e7erli de\u011fil\n```\n\n## \u00d6zet: Y\u00f6ntem Se\u00e7im Tablosu\n\n| Durum | \u00d6nerilen Y\u00f6ntem | Tahmini S\u00fcre |\n|-------|-----------------|--------------|\n| \u015eifre k\u0131sa (&lt;6) ve tahmin var | Mask attack + rule | Dakikalar-saatler |\n| Word list'te olmas\u0131 muhtemel | Dictionary + rules | Saatler |\n| Par\u00e7a bilgi var (desen biliniyor) | Custom mask attack | Saatler-g\u00fcnler |\n| Hi\u00e7bir bilgi yok, 8+ karakter | GPU farm / FPGA cluster | Haftalar-y\u0131llar |\n| RAR a\u00e7\u0131kken fiziksel eri\u015fim var | Memory dump / DMA attack | Dakikalar (%90) |\n| S\u0131n\u0131rs\u0131z b\u00fct\u00e7e / devlet seviyesi | ASIC / Nation-state tools | G\u00fcnler |\n| RAR hi\u00e7 a\u00e7\u0131lmad\u0131ysa, hint yok | Brute-force (\u00e7ok uzun s\u00fcrebilir) | Pratik de\u011fil |\n", "creation_timestamp": "2026-07-02T13:23:01.996159Z"}