Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##############################
- # Linux For InfoSec Pros #
- # By Joe McCray #
- ##############################
- ##########################
- # Download the attack VM #
- ##########################
- https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
- user: strategicsec
- pass: strategicsec
- ########################################
- # Boot up the StrategicSec Ubuntu host #
- ########################################
- - Log in to your Ubuntu host with the following credentials:
- user: strategicsec
- pass: strategicsec
- - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
- - You can download Putty from here:
- - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
- ########################
- # Basic Linux Commands #
- ########################
- pwd
- whereis pwd
- which pwd
- sudo find / -name pwd
- strategicsec
- /bin/pwd
- mkdir test
- cd test
- touch one two three
- ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
- h (and again without pressing the Enter key, press the Tab key twice. What happens?)
- Press the 'Up arrow key' (What happens?)
- Press 'Ctrl-A' (What happens?)
- ls
- clear (What happens?)
- echo one > one
- cat one (What happens?)
- man cat (What happens?)
- q
- cat two
- cat one > two
- cat two
- cat one two > three
- cat three
- echo four >> three
- cat three (What happens?)
- wc -l three
- man wc
- q
- cat three | grep four
- cat three | grep one
- man grep
- q
- sudo grep eth[01] /etc/* (What happens?)
- strategicsec
- cat /etc/iftab
- man ps
- q
- ps
- ps aux
- ps aux | less
- Press the 'Up arrow key' (What happens?)
- Press the 'Down arrow key' (What happens?)
- q
- top
- ############
- # VIM Demo #
- ############
- http://www.thegeekstuff.com/2009/03/8-essential-vim-editor-navigation-fundamentals/
- ###################
- # Common commands #
- ###################
- http://www.thegeekstuff.com/2009/03/15-practical-linux-find-command-examples/
- http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/
- http://www.thegeekstuff.com/2010/01/awk-introduction-tutorial-7-awk-print-examples/
- http://www.thegeekstuff.com/2009/10/unix-sed-tutorial-advanced-sed-substitution-examples/
- http://www.thegeekstuff.com/2010/11/50-linux-commands/
- http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/
- http://www.thegeekstuff.com/2010/11/modprobe-command-examples/
- http://www.thegeekstuff.com/2009/06/useradd-adduser-newuser-how-to-create-linux-users/
- http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/
- http://www.thegeekstuff.com/2010/08/how-to-create-lvm/
- http://www.thegeekstuff.com/2010/10/dmesg-command-examples/
- http://www.thegeekstuff.com/2010/03/netstat-command-examples/
- http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/
- #################
- # IPTables Demo #
- #################
- Reference:
- http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
- Delete Existing Rules
- ---------------------
- sudo /sbin/iptables -F
- strategicsec
- (or)
- sudo /sbin/iptables --flush
- strategicsec
- Set Default Chain Policies
- --------------------------
- sudo /sbin/iptables -P INPUT DROP
- sudo /sbin/iptables -P FORWARD DROP
- sudo /sbin/iptables -P OUTPUT DROP
- Block a Specific ip-address
- ---------------------------
- BLOCK_THIS_IP="x.x.x.x"
- sudo /sbin/iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
- sudo /sbin/iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
- sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
- Allow ALL Incoming SSH
- ----------------------
- sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
- Allow Incoming SSH only from a Sepcific Network
- -----------------------------------------------
- sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
- Allow Incoming HTTP and HTTPS
- -----------------------------
- sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
- sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
- sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
- sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
- Combine Multiple Rules Together using MultiPorts
- ------------------------------------------------
- sudo /sbin/iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
- sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
- Allow Outgoing SSH
- ------------------
- sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
- sudo /sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
- Allow Outgoing SSH only to a Specific Network
- ####################
- # MD5 Hashing Demo #
- ####################
- mkdir ~/demo
- cd ~/demo
- mkdir hashdemo
- cd hashdemo
- echo test > test.txt
- cat test.txt
- md5sum test.txt
- echo hello >> test.txt
- cat test.txt
- md5sum test.txt
- cd ..
- Reference:
- https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/
- #################################
- # Symmetric Key Encryption Demo #
- #################################
- md5sum test.txt
- mkdir gpgdemo
- cd gpgdemo
- echo test > test.txt
- cat test.txt
- gpg -c test.txt
- password
- password
- ls | grep test
- cat test.txt
- cat test.txt.gpg
- rm -rf test.txt
- ls | grep test
- gpg -o output.txt test.txt.gpg
- #########################################################################################################################
- # Asymmetric Key Encryption Demo #
- # #
- # Configure random number generator #
- # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
- #########################################################################################################################
- sudo apt-get install rng-tools
- strategicsec
- /etc/init.d/rng-tools start
- sudo rngd -r /dev/urandom
- strategicsec
- echo hello > file1.txt
- echo goodbye > file2.txt
- echo green > file3.txt
- echo blue > file4.txt
- tar czf files.tar.gz *.txt
- gpg --gen-key
- 1
- 1024
- 0
- y
- John Doe
- john@doe.com
- --blank comment--
- O
- password
- password
- gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
- cat file-enc-pubkey.txt
- gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
- cat file-enc-privkey.asc
- gpg --encrypt --recipient 'John Doe' files.tar.gz
- rm -rf files.tar.gz *.txt
- tar -zxvf files.tar.gz.gpg
- gpg --output output.tar.gz --decrypt files.tar.gz.gpg
- password
- tar -zxvf output.tar.gz
- Reference:
- http://linoxide.com/security/gpg-comand-linux-how-to-encrypt-and-decrypt-file/
- ############################
- # Encryption using OpenSSL #
- ############################
- openssl genrsa -out private_key.pem 1024
- openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
- echo hello > encrypt.txt
- openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
- cat encrypt.dat
- rm -rf encrypt.txt
- openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
- cat decrypt.txt
- ##################
- # SELinux Basics #
- ##################
- sudo apt-get install selinux selinux-utils
- strategicsec
- - Change the SELinux mode in /etc/selinux/config (optional):
- - Enforcing
- sudo sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
- strategicsec
- - Permissive
- sudo sed -i 's/SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
- strategicsec
- - Reboot
- Reference:
- http://www.techrepublic.com/blog/linux-and-open-source/practical-selinux-for-the-beginner-contexts-and-labels/
- ############
- # AppArmor #
- ############
- Reference:
- http://www.thegeekstuff.com/2014/03/apparmor-ubuntu/
- ########################
- # Bash Shell Scripting #
- ########################
- http://www.thegeekstuff.com/2011/07/bash-for-loop-examples/
- http://www.thegeekstuff.com/2010/07/bash-string-manipulation/
- http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/
- ############################
- # Ubuntu Server Build Task #
- ############################
- https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/
- ############################
- # CentOS Server Build Task #
- ############################
- https://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/
- #########################################################################
- # What kind of Linux am I on and how can I find out? #
- # Great reference: #
- # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
- #########################################################################
- What’s the distribution type? What version?
- -------------------------------------------
- cat /etc/issue
- cat /etc/*-release
- cat /etc/lsb-release # Debian based
- cat /etc/redhat-release # Redhat based
- What’s the kernel version? Is it 64-bit?
- -------------------------------------------
- cat /proc/version
- uname -a
- uname -mrs
- rpm -q kernel
- dmesg | grep Linux
- ls /boot | grep vmlinuz-
- What can be learnt from the environmental variables?
- ----------------------------------------------------
- cat /etc/profile
- cat /etc/bashrc
- cat ~/.bash_profile
- cat ~/.bashrc
- cat ~/.bash_logout
- env
- set
- What services are running? Which service has which user privilege?
- ------------------------------------------------------------------
- ps aux
- ps -ef
- top
- cat /etc/services
- Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
- ---------------------------------------------------------------------------------------------------------------
- ps aux | grep root
- ps -ef | grep root
- What applications are installed? What version are they? Are they currently running?
- ------------------------------------------------------------------------------------
- ls -alh /usr/bin/
- ls -alh /sbin/
- dpkg -l
- dpkg --get-selections | grep -v deinstall
- rpm -qa
- ls -alh /var/cache/apt/archives
- ls -alh /var/cache/yum/
- Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
- ------------------------------------------------------------------------------------
- cat /etc/syslog.conf
- cat /etc/chttp.conf
- cat /etc/lighttpd.conf
- cat /etc/cups/cupsd.conf
- cat /etc/inetd.conf
- cat /etc/apache2/apache2.conf
- cat /etc/my.conf
- cat /etc/httpd/conf/httpd.conf
- cat /opt/lampp/etc/httpd.conf
- ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
- What jobs are scheduled?
- ------------------------
- crontab -l
- ls -alh /var/spool/cron
- ls -al /etc/ | grep cron
- ls -al /etc/cron*
- cat /etc/cron*
- cat /etc/at.allow
- cat /etc/at.deny
- cat /etc/cron.allow
- cat /etc/cron.deny
- cat /etc/crontab
- cat /etc/anacrontab
- cat /var/spool/cron/crontabs/root
- Any plain text usernames and/or passwords?
- ------------------------------------------
- grep -i user [filename]
- grep -i pass [filename]
- grep -C 5 "password" [filename]
- find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
- What NIC(s) does the system have? Is it connected to another network?
- ---------------------------------------------------------------------
- /sbin/ifconfig -a
- cat /etc/network/interfaces
- cat /etc/sysconfig/network
- What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
- ------------------------------------------------------------------------------------------------------------------------
- cat /etc/resolv.conf
- cat /etc/sysconfig/network
- cat /etc/networks
- sudo iptables -L
- hostname
- dnsdomainname
- What other users & hosts are communicating with the system?
- -----------------------------------------------------------
- lsof -i
- lsof -i :80
- grep 80 /etc/services
- netstat -antup
- netstat -antpx
- netstat -tulpn
- chkconfig --list
- chkconfig --list | grep 3:on
- last
- w
- Whats cached? IP and/or MAC addresses
- -------------------------------------
- arp -e
- route
- /sbin/route -nee
- Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
- ------------------------------------------------------------------------------------------
- id
- who
- w
- last
- cat /etc/passwd | cut -d: # List of users
- grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
- awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
- sudo cat /etc/sudoers
- sudo -l
- What sensitive files can be found?
- ----------------------------------
- cat /etc/passwd
- cat /etc/group
- sudo cat /etc/shadow
- ls -alh /var/mail/
- Anything “interesting” in the home directorie(s)? If it’s possible to access
- ----------------------------------------------------------------------------
- ls -ahlR /root/
- ls -ahlR /home/
- Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
- ---------------------------------------------------------------------------------------------------------------------------
- cat /var/apache2/config.inc
- cat /var/lib/mysql/mysql/user.MYD
- sudo cat /root/anaconda-ks.cfg
- What has the user being doing? Is there any password in plain text? What have they been edting?
- -----------------------------------------------------------------------------------------------
- cat ~/.bash_history
- cat ~/.nano_history
- cat ~/.atftp_history
- cat ~/.mysql_history
- cat ~/.php_history
- What user information can be found?
- -----------------------------------
- cat ~/.bashrc
- cat ~/.profile
- cat /var/mail/root
- cat /var/spool/mail/root
- Can private-key information be found?
- -------------------------------------
- cat ~/.ssh/authorized_keys
- cat ~/.ssh/identity.pub
- cat ~/.ssh/identity
- cat ~/.ssh/id_rsa.pub
- cat ~/.ssh/id_rsa
- cat ~/.ssh/id_dsa.pub
- cat ~/.ssh/id_dsa
- cat /etc/ssh/ssh_config
- cat /etc/ssh/sshd_config
- cat /etc/ssh/ssh_host_dsa_key.pub
- cat /etc/ssh/ssh_host_dsa_key
- cat /etc/ssh/ssh_host_rsa_key.pub
- cat /etc/ssh/ssh_host_rsa_key
- cat /etc/ssh/ssh_host_key.pub
- cat /etc/ssh/ssh_host_key
- Any settings/files (hidden) on website? Any settings file with database information?
- ------------------------------------------------------------------------------------
- ls -alhR /var/www/
- ls -alhR /srv/www/htdocs/
- ls -alhR /usr/local/www/apache22/data/
- ls -alhR /opt/lampp/htdocs/
- ls -alhR /var/www/html/
- Is there anything in the log file(s) (Could help with “Local File Includes”!)
- -----------------------------------------------------------------------------
- cat /etc/httpd/logs/access_log
- cat /etc/httpd/logs/access.log
- cat /etc/httpd/logs/error_log
- cat /etc/httpd/logs/error.log
- cat /var/log/apache2/access_log
- cat /var/log/apache2/access.log
- cat /var/log/apache2/error_log
- cat /var/log/apache2/error.log
- cat /var/log/apache/access_log
- cat /var/log/apache/access.log
- cat /var/log/auth.log
- cat /var/log/chttp.log
- cat /var/log/cups/error_log
- cat /var/log/dpkg.log
- cat /var/log/faillog
- cat /var/log/httpd/access_log
- cat /var/log/httpd/access.log
- cat /var/log/httpd/error_log
- cat /var/log/httpd/error.log
- cat /var/log/lastlog
- cat /var/log/lighttpd/access.log
- cat /var/log/lighttpd/error.log
- cat /var/log/lighttpd/lighttpd.access.log
- cat /var/log/lighttpd/lighttpd.error.log
- cat /var/log/messages
- cat /var/log/secure
- cat /var/log/syslog
- cat /var/log/wtmp
- cat /var/log/xferlog
- cat /var/log/yum.log
- cat /var/run/utmp
- cat /var/webmin/miniserv.log
- cat /var/www/logs/access_log
- cat /var/www/logs/access.log
- ls -alh /var/lib/dhcp3/
- ls -alh /var/log/postgresql/
- ls -alh /var/log/proftpd/
- ls -alh /var/log/samba/
- Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
- ###########################
- # Target IP Determination #
- ###########################
- - This portion starts the actual workshop content
- - Zone Transfer fails on most domains, but here is an example of one that works:
- dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
- - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
- perl blindcrawl.pl -d motorola.com
- Look up the IP addresses at:
- http://www.networksolutions.com/whois/index.jsp
- - Note: If you are on a different machine and need to download blindcrawl can you download it this way:
- wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
- chmod +x blindcrawl.pl
- cd ~/toolz/fierce2
- sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion
- strategicsec
- - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM:
- svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
- cd ~/toolz/fierce2
- wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
- tar -zxvf Template-Toolkit-2.14.tar.gz
- cd Template-Toolkit-2.14/
- perl Makefile.PL
- y
- y
- n
- y
- sudo make install
- strategicsec
- cd ..
- sudo bash install.sh
- strategicsec
- ./fierce
- ./fierce -dns motorola.com
- cd ~/toolz/
- - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM:
- wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
- gcc -o ipcrawl ipcrawl.c
- chmod +x ipcrawl
- - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
- cd ~/toolz/
- ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
- sudo nmap -sL 148.87.1.0-255
- strategicsec
- sudo nmap -sL 148.87.1.0-255 | grep oracle
- strategicsec
- - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
- sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254
- strategicsec
- ###########################
- # Load Balancer Detection #
- ###########################
- - Here are some options to use for identifying load balancers:
- - http://toolbar.netcraft.com/site_report/
- - Firefox LiveHTTP Headers
- - Here are some command-line options to use for identifying load balancers:
- dig google.com
- cd ~/toolz
- ./lbd-0.1.sh google.com
- halberd microsoft.com
- halberd motorola.com
- halberd oracle.com
- ######################################
- # Web Application Firewall Detection #
- ######################################
- cd ~/toolz/wafw00f
- python wafw00f.py http://www.oracle.com
- python wafw00f.py http://www.strategicsec.com
- cd ~/toolz/
- sudo nmap -p 80 --script http-waf-detect.nse oracle.com
- strategicsec
- sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
- strategicsec
- #########################
- # Playing with Nmap NSE #
- #########################
- nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
- nmap -p80 --script dns-brute strategicsec.com
- nmap --script http-robtex-reverse-ip secore.info
- nmap -Pn -p80 --script=http-headers strategicsec.com
- ls /usr/share/nmap/scripts | grep http
- nmap -Pn -p80 --script=http-* strategicsec.com
- ############
- # Nmap NSE #
- ############
- - Reference for this tutorial is:
- https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
- ----------------------------------------------------------------------
- sudo vi /usr/share/nmap/scripts/intro-nse.nse
- strategicsec
- -- The Head Section --
- -- The Rule Section --
- portrule = function(host, port)
- return port.protocol == "tcp"
- and port.number == 80
- and port.state == "open"
- end
- -- The Action Section --
- action = function(host, port)
- return "I love Linux!"
- end
- ----------------------------------------------------------------------
- - Ok, now that we've made that change let's run the script
- sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
- ----------------------------------------------------------------------
- sudo vi /usr/share/nmap/scripts/intro-nse.nse
- -- The Head Section --
- local shortport = require "shortport"
- -- The Rule Section --
- portrule = shortport.http
- -- The Action Section --
- action = function(host, port)
- return "I still love Linux!"
- end
- ----------------------------------------------------------------------
- - Ok, now that we've made that change let's run the script
- sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
- OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.
- ----------------------------------------------------------------------
- sudo vi /usr/share/nmap/scripts/intro-nse.nse
- -- The Head Section --
- local shortport = require "shortport"
- local http = require "http"
- -- The Rule Section --
- portrule = shortport.http
- -- The Action Section --
- action = function(host, port)
- local uri = "/installing-metasploit-in-ubunt/"
- local response = http.get(host, port, uri)
- return response.status
- end
- ----------------------------------------------------------------------
- - Ok, now that we've made that change let's run the script
- sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
- ----------------------------------------------------------------------
- sudo vi /usr/share/nmap/scripts/intro-nse.nse
- -- The Head Section --
- local shortport = require "shortport"
- local http = require "http"
- -- The Rule Section --
- portrule = shortport.http
- -- The Action Section --
- action = function(host, port)
- local uri = "/installing-metasploit-in-ubunt/"
- local response = http.get(host, port, uri)
- if ( response.status == 200 ) then
- return response.body
- end
- end
- ----------------------------------------------------------------------
- - Ok, now that we've made that change let's run the script
- sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
- ----------------------------------------------------------------------
- sudo vi /usr/share/nmap/scripts/intro-nse.nse
- -- The Head Section --
- local shortport = require "shortport"
- local http = require "http"
- local string = require "string"
- -- The Rule Section --
- portrule = shortport.http
- -- The Action Section --
- action = function(host, port)
- local uri = "/installing-metasploit-in-ubunt/"
- local response = http.get(host, port, uri)
- if ( response.status == 200 ) then
- local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
- return title
- end
- end
- ----------------------------------------------------------------------
- - Ok, now that we've made that change let's run the script
- sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
- ----------------------------------------------------------------------
- sudo vi /usr/share/nmap/scripts/intro-nse.nse
- -- The Head Section --
- local shortport = require "shortport"
- local http = require "http"
- local string = require "string"
- -- The Rule Section --
- portrule = shortport.http
- -- The Action Section --
- action = function(host, port)
- local uri = "/installing-metasploit-in-ubunt/"
- local response = http.get(host, port, uri)
- if ( response.status == 200 ) then
- local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
- if (title) then
- return "Vulnerable"
- else
- return "Not Vulnerable"
- end
- end
- end
- ----------------------------------------------------------------------
- - Ok, now that we've made that change let's run the script
- sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
- ####################
- # Installing Scapy #
- ####################
- sudo apt-get update
- sudo apt-get install python-scapy python-pyx python-gnuplot
- - Reference Page For All Of The Commands We Will Be Running:
- http://samsclass.info/124/proj11/proj17-scapy.html
- - To run Scapy interactively
- sudo scapy
- #####################################
- # Sending ICMPv4 Packets with scapy #
- #####################################
- - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
- i = IP()
- - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
- i.display()
- - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
- i.dst="192.168.54.184"
- i.display()
- - Notice that scapy automatically fills in your machine's source IP address.
- - Use these commands to create an object named ic of type ICMP and display its properties:
- ic = ICMP()
- ic.display()
- - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
- sr1(i/ic)
- - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.
- - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
- - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
- sr1(i/ic/"YOUR NAME")
- - You should see a reply with a Raw section containing your name.
- ###################################
- # Sending a UDP Packet with Scapy #
- ###################################
- - Preparing the Target
- $ ncat -ulvp 4444
- --open another terminal--
- In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
- u = UDP()
- u.display()
- - This creates an object named u of type UDP, and displays its properties.
- - Execute these commands to change the destination port to 4444 and display the properties again:
- i.dst="192.168.54.184" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
- u.dport = 4444
- u.display()
- - Execute this command to send the packet to the Windows machine:
- send(i/u/"YOUR NAME SENT VIA UDP\n")
- - On the Windows target, you should see the message appear
- p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))
- p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))
- p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))
- traceroute (["strategicsec.com"], maxttl=20)
- This is actually an ICMP & TCP traceroute, default destination is port 80
- traceroute (["strategicsec.com"], dport=443, maxttl=20)
- ############################
- # Ping Sweeping with Scapy #
- ############################
- ----------------------------------------------------------------------
- vi scapy-pingsweep.py
- #!/usr/bin/python
- from scapy.all import *
- TIMEOUT = 2
- conf.verb = 0
- for ip in range(0, 256):
- packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
- reply = sr1(packet, timeout=TIMEOUT)
- if not (reply is None):
- print reply.dst, "is online"
- else:
- print "Timeout waiting for %s" % packet[IP].dst
- ----------------------------------------------------------------------
- ###############################################
- # Checking out some scapy based port scanners #
- ###############################################
- wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
- cat rdp_scan.py
- sudo python rdp_scan.py 192.168.1.250
- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
- After logging please open a terminal window and type the following commands:
- cd Desktop/
- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
- wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
- wget http://www.beenuarora.com/code/analyse_malware.py
- unzip malware-password-is-infected.zip
- infected
- file malware.exe
- mv malware.exe malware.pdf
- file malware.pdf
- mv malware.pdf malware.exe
- hexdump -n 2 -C malware.exe
- ***What is '4d 5a' or 'MZ'***
- Reference: http://www.garykessler.net/library/file_sigs.html
- objdump -x malware.exe
- strings malware.exe
- strings --all malware.exe | head -n 6
- strings malware.exe | grep -i dll
- strings malware.exe | grep -i library
- strings malware.exe | grep -i reg
- strings malware.exe | grep -i hkey
- strings malware.exe | grep -i hku
- - We didn't see anything like HKLM, HKCU or other registry type stuff
- strings malware.exe | grep -i irc
- strings malware.exe | grep -i join
- strings malware.exe | grep -i admin
- strings malware.exe | grep -i list
- - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
- sudo apt-get install -y python-pefile
- vi analyse_malware.py
- python analyse_malware.py malware.exe
- Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
- http://derekmorton.name/files/malware_12-14-12.sql.bz2
- Malware Repositories:
- http://malshare.com/index.php
- http://www.malwareblacklist.com/
- http://www.virusign.com/
- http://virusshare.com/
- http://www.tekdefense.com/downloads/malware-samples/
- ###############################
- # Creating a Malware Database #
- ###############################
- Creating a malware database (sqlite)
- ------------------------------------
- wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
- wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
- unzip malware-password-is-infected.zip
- infected
- python avsubmit.py --init
- python avsubmit.py -f malware.exe -e
- Creating a malware database (mysql)
- -----------------------------------
- Step 1: Installing MySQL database
- Run the following command in the terminal:
- sudo apt-get install mysql-server
- Step 2: Installing Python MySQLdb module
- Run the following command in the terminal:
- sudo apt-get build-dep python-mysqldb
- sudo apt-get install python-mysqldb
- Step 3: Logging in
- Run the following command in the terminal:
- mysql -u root -p (set a password of 'malware')
- Then create one database by running following command:
- create database malware;
- wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
- vi mal_to_db.py -i (fill in database connection information)
- python mal_to_db.py -i
- python mal_to_db.py -i -f malware.exe -u
- mysql -u root -p
- malware
- mysql> use malware;
- select id,md5,sha1,sha256,time FROM files;
- mysql> quit;
- ##############################
- # Lesson 32: Setting up Yara #
- ##############################
- sudo apt-get install clamav clamav-freshclam
- sudo freshclam
- sudo Clamscan
- sudo apt-get install libpcre3 libpcre3-dev
- wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
- wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
- tar -zxvf v3.1.0.tar.gz
- cd yara-3.1.0/
- ./bootstrap.sh
- ./configure
- make
- make check
- sudo make install
- cd yara-python/
- python setup.py build
- sudo python setup.py install
- cd ..
- yara -v
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
- sigtool -u /var/lib/clamav/main.cvd
- python clamav_to_yara.py -f main.ndb -o clamav.yara
- wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
- unzip malware-password-is-infected.zip
- infected
- mkdir malcode/
- mv malware.exe malcode/
- vi testrule.yara
- ----------------
- rule IsPE
- {
- meta:
- description = "Windows executable file"
- condition:
- // MZ signature at offset 0 and ...
- uint16(0) == 0x5A4D and
- // ... PE signature at offset stored in MZ header at 0x3C
- uint32(uint32(0x3C)) == 0x00004550
- }
- rule has_no_DEP
- {
- meta:
- description = "DEP is not enabled"
- condition:
- IsPE and
- uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
- }
- rule has_no_ASLR
- {
- meta:
- description = "ASLR is not enabled"
- condition:
- IsPE and
- uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
- }
- ----------------
- yara testrule.yara malcode/malware.exe
- mkdir rules/
- cd rules/
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
- wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
- cd ..
- yara rules/ malcode/malware.exe
- wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
- unzip master.zip
- cd YaraGenerator-master/
- python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
- cat Test-Rule-2.yar
- wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
- yara Test-Rule-2.yar putty.exe
- ####################
- # Additional Tasks #
- ####################
- - PE Scanner:
- https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
- http://www.beenuarora.com/code/analyse_malware.py
- - AV submission:
- http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
- https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
- - Malware Database Creation:
- https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
- cd /home/malware/Desktop/Browser\ Forensics
- ls | grep pcap
- perl chaosreader.pl suspicious-time.pcap
- firefox index.html
- cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
- cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
- sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
- for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
- tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
- tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
- tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
- tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
- tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
- tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
- tshark -r suspicious-time.pcap -qz ip_hosts,tree
- tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
- tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
- whois rapidshare.com.eyu32.ru
- whois sploitme.com.cn
- tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
- tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
- tshark -r suspicious-time.pcap -qz http_req,tree
- tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
- tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
- cd /home/malware/Desktop/Banking\ Troubles/Volatility
- python volatility
- python volatility pslist -f ../hn_forensics.vmem
- python volatility connscan2 -f ../hn_forensics.vmem
- python volatility memdmp -p 888 -f ../hn_forensics.vmem
- python volatility memdmp -p 1752 -f ../hn_forensics.vmem
- ***Takes a few min***
- strings 1752.dmp | grep "^http://" | sort | uniq
- strings 1752.dmp | grep "Ahttps://" | uniq -u
- cd ..
- cd foremost-1.5.7/
- foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
- cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
- cat audit.txt
- cd pdf
- ls
- grep -i javascript *.pdf
- cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
- wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
- unzip pdf-parser_V0_6_4.zip
- python pdf-parser.py -s javascript --raw 00600328.pdf
- python pdf-parser.py --object 11 00600328.pdf
- python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
- cat malicious.js
- *****Sorry - no time to cover javascript de-obfuscation today*****
- cd /home/malware/Desktop/Banking\ Troubles/Volatility/
- python volatility files -f ../hn_forensics.vmem > files
- cat files | less
- python volatility malfind -f ../hn_forensics.vmem -d out
- ls out/
- python volatility hivescan -f ../hn_forensics.vmem
- python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
- for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement