Advertisement
joemccray

New Linux

Jun 6th, 2016
1,994
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 38.87 KB | None | 0 0
  1. ##############################
  2. # Linux For InfoSec Pros #
  3. # By Joe McCray #
  4. ##############################
  5.  
  6.  
  7. ##########################
  8. # Download the attack VM #
  9. ##########################
  10. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  11. user: strategicsec
  12. pass: strategicsec
  13.  
  14.  
  15. ########################################
  16. # Boot up the StrategicSec Ubuntu host #
  17. ########################################
  18.  
  19. - Log in to your Ubuntu host with the following credentials:
  20. user: strategicsec
  21. pass: strategicsec
  22.  
  23.  
  24.  
  25. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  26. - You can download Putty from here:
  27. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  28.  
  29.  
  30.  
  31. ########################
  32. # Basic Linux Commands #
  33. ########################
  34.  
  35. pwd
  36.  
  37. whereis pwd
  38.  
  39. which pwd
  40.  
  41. sudo find / -name pwd
  42. strategicsec
  43.  
  44. /bin/pwd
  45.  
  46. mkdir test
  47.  
  48. cd test
  49.  
  50. touch one two three
  51.  
  52. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  53.  
  54. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  55.  
  56. Press the 'Up arrow key' (What happens?)
  57.  
  58. Press 'Ctrl-A' (What happens?)
  59.  
  60. ls
  61.  
  62. clear (What happens?)
  63.  
  64. echo one > one
  65.  
  66. cat one (What happens?)
  67.  
  68. man cat (What happens?)
  69. q
  70.  
  71. cat two
  72.  
  73. cat one > two
  74.  
  75. cat two
  76.  
  77. cat one two > three
  78.  
  79. cat three
  80.  
  81. echo four >> three
  82.  
  83. cat three (What happens?)
  84.  
  85. wc -l three
  86.  
  87. man wc
  88. q
  89.  
  90. cat three | grep four
  91.  
  92. cat three | grep one
  93.  
  94. man grep
  95. q
  96.  
  97.  
  98. sudo grep eth[01] /etc/* (What happens?)
  99. strategicsec
  100.  
  101. cat /etc/iftab
  102.  
  103.  
  104. man ps
  105. q
  106.  
  107. ps
  108.  
  109. ps aux
  110.  
  111. ps aux | less
  112.  
  113. Press the 'Up arrow key' (What happens?)
  114.  
  115. Press the 'Down arrow key' (What happens?)
  116. q
  117.  
  118. top
  119.  
  120. ############
  121. # VIM Demo #
  122. ############
  123. http://www.thegeekstuff.com/2009/03/8-essential-vim-editor-navigation-fundamentals/
  124.  
  125.  
  126.  
  127. ###################
  128. # Common commands #
  129. ###################
  130. http://www.thegeekstuff.com/2009/03/15-practical-linux-find-command-examples/
  131.  
  132. http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/
  133. http://www.thegeekstuff.com/2010/01/awk-introduction-tutorial-7-awk-print-examples/
  134. http://www.thegeekstuff.com/2009/10/unix-sed-tutorial-advanced-sed-substitution-examples/
  135.  
  136.  
  137. http://www.thegeekstuff.com/2010/11/50-linux-commands/
  138. http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/
  139. http://www.thegeekstuff.com/2010/11/modprobe-command-examples/
  140. http://www.thegeekstuff.com/2009/06/useradd-adduser-newuser-how-to-create-linux-users/
  141. http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/
  142. http://www.thegeekstuff.com/2010/08/how-to-create-lvm/
  143. http://www.thegeekstuff.com/2010/10/dmesg-command-examples/
  144. http://www.thegeekstuff.com/2010/03/netstat-command-examples/
  145. http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/
  146.  
  147. #################
  148. # IPTables Demo #
  149. #################
  150. Reference:
  151. http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
  152.  
  153. Delete Existing Rules
  154. ---------------------
  155. sudo /sbin/iptables -F
  156. strategicsec
  157.  
  158. (or)
  159.  
  160. sudo /sbin/iptables --flush
  161. strategicsec
  162.  
  163.  
  164.  
  165. Set Default Chain Policies
  166. --------------------------
  167. sudo /sbin/iptables -P INPUT DROP
  168. sudo /sbin/iptables -P FORWARD DROP
  169. sudo /sbin/iptables -P OUTPUT DROP
  170.  
  171.  
  172. Block a Specific ip-address
  173. ---------------------------
  174. BLOCK_THIS_IP="x.x.x.x"
  175. sudo /sbin/iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
  176.  
  177.  
  178. sudo /sbin/iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
  179. sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
  180.  
  181.  
  182. Allow ALL Incoming SSH
  183. ----------------------
  184. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  185. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  186.  
  187.  
  188. Allow Incoming SSH only from a Sepcific Network
  189. -----------------------------------------------
  190. sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  191. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  192.  
  193.  
  194. Allow Incoming HTTP and HTTPS
  195. -----------------------------
  196. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  197. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
  198.  
  199.  
  200. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  201. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
  202.  
  203.  
  204.  
  205. Combine Multiple Rules Together using MultiPorts
  206. ------------------------------------------------
  207. sudo /sbin/iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
  208. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
  209.  
  210.  
  211. Allow Outgoing SSH
  212. ------------------
  213. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  214. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  215.  
  216.  
  217.  
  218. Allow Outgoing SSH only to a Specific Network
  219.  
  220.  
  221.  
  222.  
  223.  
  224. ####################
  225. # MD5 Hashing Demo #
  226. ####################
  227. mkdir ~/demo
  228. cd ~/demo
  229.  
  230.  
  231.  
  232. mkdir hashdemo
  233. cd hashdemo
  234. echo test > test.txt
  235. cat test.txt
  236. md5sum test.txt
  237. echo hello >> test.txt
  238. cat test.txt
  239. md5sum test.txt
  240. cd ..
  241.  
  242.  
  243.  
  244. Reference:
  245. https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/
  246.  
  247.  
  248. #################################
  249. # Symmetric Key Encryption Demo #
  250. #################################
  251. md5sum test.txt
  252. mkdir gpgdemo
  253. cd gpgdemo
  254. echo test > test.txt
  255. cat test.txt
  256. gpg -c test.txt
  257. password
  258. password
  259. ls | grep test
  260. cat test.txt
  261. cat test.txt.gpg
  262. rm -rf test.txt
  263. ls | grep test
  264. gpg -o output.txt test.txt.gpg
  265.  
  266.  
  267. #########################################################################################################################
  268. # Asymmetric Key Encryption Demo #
  269. # #
  270. # Configure random number generator #
  271. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  272. #########################################################################################################################
  273.  
  274. sudo apt-get install rng-tools
  275. strategicsec
  276.  
  277. /etc/init.d/rng-tools start
  278.  
  279. sudo rngd -r /dev/urandom
  280. strategicsec
  281.  
  282.  
  283. echo hello > file1.txt
  284. echo goodbye > file2.txt
  285. echo green > file3.txt
  286. echo blue > file4.txt
  287.  
  288. tar czf files.tar.gz *.txt
  289.  
  290. gpg --gen-key
  291. 1
  292. 1024
  293. 0
  294. y
  295. John Doe
  296. john@doe.com
  297. --blank comment--
  298. O
  299. password
  300. password
  301.  
  302.  
  303.  
  304. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  305.  
  306. cat file-enc-pubkey.txt
  307.  
  308. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  309.  
  310. cat file-enc-privkey.asc
  311.  
  312. gpg --encrypt --recipient 'John Doe' files.tar.gz
  313.  
  314. rm -rf files.tar.gz *.txt
  315.  
  316. tar -zxvf files.tar.gz.gpg
  317.  
  318. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  319. password
  320.  
  321. tar -zxvf output.tar.gz
  322.  
  323.  
  324. Reference:
  325. http://linoxide.com/security/gpg-comand-linux-how-to-encrypt-and-decrypt-file/
  326.  
  327.  
  328.  
  329. ############################
  330. # Encryption using OpenSSL #
  331. ############################
  332. openssl genrsa -out private_key.pem 1024
  333. openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
  334.  
  335.  
  336. echo hello > encrypt.txt
  337. openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
  338.  
  339. cat encrypt.dat
  340.  
  341. rm -rf encrypt.txt
  342.  
  343. openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
  344.  
  345. cat decrypt.txt
  346.  
  347.  
  348. ##################
  349. # SELinux Basics #
  350. ##################
  351.  
  352. sudo apt-get install selinux selinux-utils
  353. strategicsec
  354.  
  355.  
  356. - Change the SELinux mode in /etc/selinux/config (optional):
  357.  
  358. - Enforcing
  359. sudo sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
  360. strategicsec
  361.  
  362. - Permissive
  363. sudo sed -i 's/SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
  364. strategicsec
  365.  
  366. - Reboot
  367.  
  368. Reference:
  369. http://www.techrepublic.com/blog/linux-and-open-source/practical-selinux-for-the-beginner-contexts-and-labels/
  370.  
  371.  
  372. ############
  373. # AppArmor #
  374. ############
  375. Reference:
  376. http://www.thegeekstuff.com/2014/03/apparmor-ubuntu/
  377.  
  378.  
  379.  
  380.  
  381. ########################
  382. # Bash Shell Scripting #
  383. ########################
  384. http://www.thegeekstuff.com/2011/07/bash-for-loop-examples/
  385. http://www.thegeekstuff.com/2010/07/bash-string-manipulation/
  386. http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/
  387.  
  388.  
  389.  
  390.  
  391. ############################
  392. # Ubuntu Server Build Task #
  393. ############################
  394. https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/
  395.  
  396. ############################
  397. # CentOS Server Build Task #
  398. ############################
  399. https://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/
  400.  
  401.  
  402.  
  403.  
  404. #########################################################################
  405. # What kind of Linux am I on and how can I find out? #
  406. # Great reference: #
  407. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  408. #########################################################################
  409. What’s the distribution type? What version?
  410. -------------------------------------------
  411. cat /etc/issue
  412. cat /etc/*-release
  413. cat /etc/lsb-release # Debian based
  414. cat /etc/redhat-release # Redhat based
  415.  
  416.  
  417.  
  418. What’s the kernel version? Is it 64-bit?
  419. -------------------------------------------
  420. cat /proc/version
  421. uname -a
  422. uname -mrs
  423. rpm -q kernel
  424. dmesg | grep Linux
  425. ls /boot | grep vmlinuz-
  426.  
  427.  
  428.  
  429. What can be learnt from the environmental variables?
  430. ----------------------------------------------------
  431. cat /etc/profile
  432. cat /etc/bashrc
  433. cat ~/.bash_profile
  434. cat ~/.bashrc
  435. cat ~/.bash_logout
  436. env
  437. set
  438.  
  439.  
  440. What services are running? Which service has which user privilege?
  441. ------------------------------------------------------------------
  442. ps aux
  443. ps -ef
  444. top
  445. cat /etc/services
  446.  
  447.  
  448. Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  449. ---------------------------------------------------------------------------------------------------------------
  450. ps aux | grep root
  451. ps -ef | grep root
  452.  
  453.  
  454.  
  455. What applications are installed? What version are they? Are they currently running?
  456. ------------------------------------------------------------------------------------
  457. ls -alh /usr/bin/
  458. ls -alh /sbin/
  459. dpkg -l
  460. dpkg --get-selections | grep -v deinstall
  461. rpm -qa
  462. ls -alh /var/cache/apt/archives
  463. ls -alh /var/cache/yum/
  464.  
  465.  
  466. Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  467. ------------------------------------------------------------------------------------
  468. cat /etc/syslog.conf
  469. cat /etc/chttp.conf
  470. cat /etc/lighttpd.conf
  471. cat /etc/cups/cupsd.conf
  472. cat /etc/inetd.conf
  473. cat /etc/apache2/apache2.conf
  474. cat /etc/my.conf
  475. cat /etc/httpd/conf/httpd.conf
  476. cat /opt/lampp/etc/httpd.conf
  477. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
  478.  
  479.  
  480.  
  481. What jobs are scheduled?
  482. ------------------------
  483. crontab -l
  484. ls -alh /var/spool/cron
  485. ls -al /etc/ | grep cron
  486. ls -al /etc/cron*
  487. cat /etc/cron*
  488. cat /etc/at.allow
  489. cat /etc/at.deny
  490. cat /etc/cron.allow
  491. cat /etc/cron.deny
  492. cat /etc/crontab
  493. cat /etc/anacrontab
  494. cat /var/spool/cron/crontabs/root
  495.  
  496.  
  497. Any plain text usernames and/or passwords?
  498. ------------------------------------------
  499. grep -i user [filename]
  500. grep -i pass [filename]
  501. grep -C 5 "password" [filename]
  502. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  503.  
  504.  
  505. What NIC(s) does the system have? Is it connected to another network?
  506. ---------------------------------------------------------------------
  507. /sbin/ifconfig -a
  508. cat /etc/network/interfaces
  509. cat /etc/sysconfig/network
  510.  
  511.  
  512. What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  513. ------------------------------------------------------------------------------------------------------------------------
  514. cat /etc/resolv.conf
  515. cat /etc/sysconfig/network
  516. cat /etc/networks
  517. sudo iptables -L
  518. hostname
  519. dnsdomainname
  520.  
  521. What other users & hosts are communicating with the system?
  522. -----------------------------------------------------------
  523. lsof -i
  524. lsof -i :80
  525. grep 80 /etc/services
  526. netstat -antup
  527. netstat -antpx
  528. netstat -tulpn
  529. chkconfig --list
  530. chkconfig --list | grep 3:on
  531. last
  532. w
  533.  
  534.  
  535.  
  536. Whats cached? IP and/or MAC addresses
  537. -------------------------------------
  538. arp -e
  539. route
  540. /sbin/route -nee
  541.  
  542.  
  543. Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  544. ------------------------------------------------------------------------------------------
  545. id
  546. who
  547. w
  548. last
  549. cat /etc/passwd | cut -d: # List of users
  550. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  551. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  552. sudo cat /etc/sudoers
  553. sudo -l
  554.  
  555.  
  556.  
  557. What sensitive files can be found?
  558. ----------------------------------
  559. cat /etc/passwd
  560. cat /etc/group
  561. sudo cat /etc/shadow
  562. ls -alh /var/mail/
  563.  
  564.  
  565.  
  566. Anything “interesting” in the home directorie(s)? If it’s possible to access
  567. ----------------------------------------------------------------------------
  568. ls -ahlR /root/
  569. ls -ahlR /home/
  570.  
  571.  
  572. Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  573. ---------------------------------------------------------------------------------------------------------------------------
  574. cat /var/apache2/config.inc
  575. cat /var/lib/mysql/mysql/user.MYD
  576. sudo cat /root/anaconda-ks.cfg
  577.  
  578.  
  579. What has the user being doing? Is there any password in plain text? What have they been edting?
  580. -----------------------------------------------------------------------------------------------
  581. cat ~/.bash_history
  582. cat ~/.nano_history
  583. cat ~/.atftp_history
  584. cat ~/.mysql_history
  585. cat ~/.php_history
  586.  
  587.  
  588.  
  589. What user information can be found?
  590. -----------------------------------
  591. cat ~/.bashrc
  592. cat ~/.profile
  593. cat /var/mail/root
  594. cat /var/spool/mail/root
  595.  
  596.  
  597. Can private-key information be found?
  598. -------------------------------------
  599. cat ~/.ssh/authorized_keys
  600. cat ~/.ssh/identity.pub
  601. cat ~/.ssh/identity
  602. cat ~/.ssh/id_rsa.pub
  603. cat ~/.ssh/id_rsa
  604. cat ~/.ssh/id_dsa.pub
  605. cat ~/.ssh/id_dsa
  606. cat /etc/ssh/ssh_config
  607. cat /etc/ssh/sshd_config
  608. cat /etc/ssh/ssh_host_dsa_key.pub
  609. cat /etc/ssh/ssh_host_dsa_key
  610. cat /etc/ssh/ssh_host_rsa_key.pub
  611. cat /etc/ssh/ssh_host_rsa_key
  612. cat /etc/ssh/ssh_host_key.pub
  613. cat /etc/ssh/ssh_host_key
  614.  
  615.  
  616. Any settings/files (hidden) on website? Any settings file with database information?
  617. ------------------------------------------------------------------------------------
  618. ls -alhR /var/www/
  619. ls -alhR /srv/www/htdocs/
  620. ls -alhR /usr/local/www/apache22/data/
  621. ls -alhR /opt/lampp/htdocs/
  622. ls -alhR /var/www/html/
  623.  
  624.  
  625. Is there anything in the log file(s) (Could help with “Local File Includes”!)
  626. -----------------------------------------------------------------------------
  627. cat /etc/httpd/logs/access_log
  628. cat /etc/httpd/logs/access.log
  629. cat /etc/httpd/logs/error_log
  630. cat /etc/httpd/logs/error.log
  631. cat /var/log/apache2/access_log
  632. cat /var/log/apache2/access.log
  633. cat /var/log/apache2/error_log
  634. cat /var/log/apache2/error.log
  635. cat /var/log/apache/access_log
  636. cat /var/log/apache/access.log
  637. cat /var/log/auth.log
  638. cat /var/log/chttp.log
  639. cat /var/log/cups/error_log
  640. cat /var/log/dpkg.log
  641. cat /var/log/faillog
  642. cat /var/log/httpd/access_log
  643. cat /var/log/httpd/access.log
  644. cat /var/log/httpd/error_log
  645. cat /var/log/httpd/error.log
  646. cat /var/log/lastlog
  647. cat /var/log/lighttpd/access.log
  648. cat /var/log/lighttpd/error.log
  649. cat /var/log/lighttpd/lighttpd.access.log
  650. cat /var/log/lighttpd/lighttpd.error.log
  651. cat /var/log/messages
  652. cat /var/log/secure
  653. cat /var/log/syslog
  654. cat /var/log/wtmp
  655. cat /var/log/xferlog
  656. cat /var/log/yum.log
  657. cat /var/run/utmp
  658. cat /var/webmin/miniserv.log
  659. cat /var/www/logs/access_log
  660. cat /var/www/logs/access.log
  661. ls -alh /var/lib/dhcp3/
  662. ls -alh /var/log/postgresql/
  663. ls -alh /var/log/proftpd/
  664. ls -alh /var/log/samba/
  665.  
  666. Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  667.  
  668.  
  669. ###########################
  670. # Target IP Determination #
  671. ###########################
  672. - This portion starts the actual workshop content
  673. - Zone Transfer fails on most domains, but here is an example of one that works:
  674. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  675.  
  676.  
  677. - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
  678. perl blindcrawl.pl -d motorola.com
  679. Look up the IP addresses at:
  680. http://www.networksolutions.com/whois/index.jsp
  681.  
  682.  
  683. - Note: If you are on a different machine and need to download blindcrawl can you download it this way:
  684. wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  685. chmod +x blindcrawl.pl
  686.  
  687.  
  688.  
  689. cd ~/toolz/fierce2
  690. sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion
  691. strategicsec
  692.  
  693.  
  694. - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM:
  695. svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
  696.  
  697.  
  698. cd ~/toolz/fierce2
  699. wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
  700. tar -zxvf Template-Toolkit-2.14.tar.gz
  701. cd Template-Toolkit-2.14/
  702. perl Makefile.PL
  703. y
  704. y
  705. n
  706. y
  707. sudo make install
  708. strategicsec
  709.  
  710. cd ..
  711.  
  712. sudo bash install.sh
  713. strategicsec
  714.  
  715. ./fierce
  716.  
  717. ./fierce -dns motorola.com
  718.  
  719. cd ~/toolz/
  720.  
  721. - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM:
  722. wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  723. gcc -o ipcrawl ipcrawl.c
  724. chmod +x ipcrawl
  725.  
  726.  
  727.  
  728. - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
  729. cd ~/toolz/
  730. ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
  731.  
  732.  
  733. sudo nmap -sL 148.87.1.0-255
  734. strategicsec
  735.  
  736. sudo nmap -sL 148.87.1.0-255 | grep oracle
  737. strategicsec
  738.  
  739. - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
  740. sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254
  741. strategicsec
  742.  
  743.  
  744.  
  745.  
  746. ###########################
  747. # Load Balancer Detection #
  748. ###########################
  749.  
  750. - Here are some options to use for identifying load balancers:
  751. - http://toolbar.netcraft.com/site_report/
  752. - Firefox LiveHTTP Headers
  753.  
  754.  
  755. - Here are some command-line options to use for identifying load balancers:
  756.  
  757. dig google.com
  758.  
  759. cd ~/toolz
  760. ./lbd-0.1.sh google.com
  761.  
  762.  
  763. halberd microsoft.com
  764. halberd motorola.com
  765. halberd oracle.com
  766.  
  767.  
  768.  
  769.  
  770.  
  771. ######################################
  772. # Web Application Firewall Detection #
  773. ######################################
  774.  
  775. cd ~/toolz/wafw00f
  776. python wafw00f.py http://www.oracle.com
  777. python wafw00f.py http://www.strategicsec.com
  778.  
  779.  
  780. cd ~/toolz/
  781. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  782. strategicsec
  783.  
  784. sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
  785. strategicsec
  786.  
  787.  
  788. #########################
  789. # Playing with Nmap NSE #
  790. #########################
  791.  
  792. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  793.  
  794. nmap -p80 --script dns-brute strategicsec.com
  795.  
  796. nmap --script http-robtex-reverse-ip secore.info
  797.  
  798. nmap -Pn -p80 --script=http-headers strategicsec.com
  799.  
  800.  
  801. ls /usr/share/nmap/scripts | grep http
  802. nmap -Pn -p80 --script=http-* strategicsec.com
  803.  
  804. ############
  805. # Nmap NSE #
  806. ############
  807.  
  808. - Reference for this tutorial is:
  809. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
  810.  
  811. ----------------------------------------------------------------------
  812. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  813. strategicsec
  814.  
  815.  
  816.  
  817. -- The Head Section --
  818. -- The Rule Section --
  819. portrule = function(host, port)
  820. return port.protocol == "tcp"
  821. and port.number == 80
  822. and port.state == "open"
  823. end
  824.  
  825. -- The Action Section --
  826. action = function(host, port)
  827. return "I love Linux!"
  828. end
  829. ----------------------------------------------------------------------
  830.  
  831. - Ok, now that we've made that change let's run the script
  832. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  833.  
  834.  
  835.  
  836.  
  837.  
  838.  
  839. ----------------------------------------------------------------------
  840. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  841.  
  842. -- The Head Section --
  843. local shortport = require "shortport"
  844.  
  845. -- The Rule Section --
  846. portrule = shortport.http
  847.  
  848.  
  849. -- The Action Section --
  850. action = function(host, port)
  851. return "I still love Linux!"
  852. end
  853. ----------------------------------------------------------------------
  854.  
  855. - Ok, now that we've made that change let's run the script
  856. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  857.  
  858.  
  859.  
  860.  
  861.  
  862.  
  863.  
  864. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.
  865.  
  866. ----------------------------------------------------------------------
  867. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  868.  
  869. -- The Head Section --
  870. local shortport = require "shortport"
  871. local http = require "http"
  872.  
  873. -- The Rule Section --
  874. portrule = shortport.http
  875.  
  876. -- The Action Section --
  877. action = function(host, port)
  878.  
  879. local uri = "/installing-metasploit-in-ubunt/"
  880. local response = http.get(host, port, uri)
  881. return response.status
  882.  
  883. end
  884. ----------------------------------------------------------------------
  885.  
  886. - Ok, now that we've made that change let's run the script
  887. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  888.  
  889.  
  890.  
  891.  
  892. ----------------------------------------------------------------------
  893. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  894.  
  895. -- The Head Section --
  896. local shortport = require "shortport"
  897. local http = require "http"
  898.  
  899. -- The Rule Section --
  900. portrule = shortport.http
  901.  
  902. -- The Action Section --
  903. action = function(host, port)
  904.  
  905. local uri = "/installing-metasploit-in-ubunt/"
  906. local response = http.get(host, port, uri)
  907.  
  908. if ( response.status == 200 ) then
  909. return response.body
  910. end
  911.  
  912. end
  913. ----------------------------------------------------------------------
  914.  
  915. - Ok, now that we've made that change let's run the script
  916. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  917.  
  918.  
  919.  
  920.  
  921.  
  922.  
  923.  
  924.  
  925.  
  926. ----------------------------------------------------------------------
  927. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  928.  
  929. -- The Head Section --
  930. local shortport = require "shortport"
  931. local http = require "http"
  932. local string = require "string"
  933.  
  934. -- The Rule Section --
  935. portrule = shortport.http
  936.  
  937. -- The Action Section --
  938. action = function(host, port)
  939.  
  940. local uri = "/installing-metasploit-in-ubunt/"
  941. local response = http.get(host, port, uri)
  942.  
  943. if ( response.status == 200 ) then
  944. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  945. return title
  946. end
  947.  
  948. end
  949. ----------------------------------------------------------------------
  950.  
  951. - Ok, now that we've made that change let's run the script
  952. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  953.  
  954.  
  955.  
  956.  
  957.  
  958.  
  959.  
  960. ----------------------------------------------------------------------
  961. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  962.  
  963. -- The Head Section --
  964. local shortport = require "shortport"
  965. local http = require "http"
  966. local string = require "string"
  967.  
  968. -- The Rule Section --
  969. portrule = shortport.http
  970.  
  971. -- The Action Section --
  972. action = function(host, port)
  973.  
  974. local uri = "/installing-metasploit-in-ubunt/"
  975. local response = http.get(host, port, uri)
  976.  
  977. if ( response.status == 200 ) then
  978. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  979.  
  980. if (title) then
  981. return "Vulnerable"
  982. else
  983. return "Not Vulnerable"
  984. end
  985. end
  986. end
  987.  
  988. ----------------------------------------------------------------------
  989.  
  990. - Ok, now that we've made that change let's run the script
  991. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  992.  
  993.  
  994.  
  995. ####################
  996. # Installing Scapy #
  997. ####################
  998.  
  999. sudo apt-get update
  1000. sudo apt-get install python-scapy python-pyx python-gnuplot
  1001.  
  1002.  
  1003. - Reference Page For All Of The Commands We Will Be Running:
  1004. http://samsclass.info/124/proj11/proj17-scapy.html
  1005.  
  1006.  
  1007.  
  1008.  
  1009.  
  1010. - To run Scapy interactively
  1011.  
  1012. sudo scapy
  1013.  
  1014.  
  1015.  
  1016. #####################################
  1017. # Sending ICMPv4 Packets with scapy #
  1018. #####################################
  1019.  
  1020. - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  1021.  
  1022. i = IP()
  1023.  
  1024.  
  1025.  
  1026.  
  1027. - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  1028.  
  1029. i.display()
  1030.  
  1031.  
  1032.  
  1033.  
  1034. - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  1035.  
  1036. i.dst="192.168.54.184"
  1037.  
  1038. i.display()
  1039.  
  1040.  
  1041.  
  1042.  
  1043. - Notice that scapy automatically fills in your machine's source IP address.
  1044.  
  1045. - Use these commands to create an object named ic of type ICMP and display its properties:
  1046.  
  1047.  
  1048. ic = ICMP()
  1049.  
  1050. ic.display()
  1051.  
  1052.  
  1053.  
  1054.  
  1055.  
  1056. - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  1057.  
  1058. sr1(i/ic)
  1059.  
  1060.  
  1061.  
  1062.  
  1063.  
  1064. - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.
  1065.  
  1066.  
  1067. - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  1068.  
  1069. - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  1070.  
  1071.  
  1072. sr1(i/ic/"YOUR NAME")
  1073.  
  1074.  
  1075. - You should see a reply with a Raw section containing your name.
  1076.  
  1077.  
  1078.  
  1079. ###################################
  1080. # Sending a UDP Packet with Scapy #
  1081. ###################################
  1082.  
  1083.  
  1084. - Preparing the Target
  1085. $ ncat -ulvp 4444
  1086.  
  1087.  
  1088.  
  1089.  
  1090. --open another terminal--
  1091. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  1092.  
  1093. u = UDP()
  1094.  
  1095. u.display()
  1096.  
  1097.  
  1098.  
  1099. - This creates an object named u of type UDP, and displays its properties.
  1100.  
  1101. - Execute these commands to change the destination port to 4444 and display the properties again:
  1102.  
  1103. i.dst="192.168.54.184" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  1104.  
  1105. u.dport = 4444
  1106.  
  1107. u.display()
  1108.  
  1109.  
  1110.  
  1111. - Execute this command to send the packet to the Windows machine:
  1112.  
  1113. send(i/u/"YOUR NAME SENT VIA UDP\n")
  1114.  
  1115.  
  1116.  
  1117. - On the Windows target, you should see the message appear
  1118.  
  1119.  
  1120. p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))
  1121.  
  1122.  
  1123. p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))
  1124.  
  1125.  
  1126. p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))
  1127.  
  1128.  
  1129. traceroute (["strategicsec.com"], maxttl=20)
  1130. This is actually an ICMP & TCP traceroute, default destination is port 80
  1131.  
  1132.  
  1133. traceroute (["strategicsec.com"], dport=443, maxttl=20)
  1134.  
  1135.  
  1136.  
  1137. ############################
  1138. # Ping Sweeping with Scapy #
  1139. ############################
  1140.  
  1141. ----------------------------------------------------------------------
  1142. vi scapy-pingsweep.py
  1143.  
  1144.  
  1145. #!/usr/bin/python
  1146. from scapy.all import *
  1147.  
  1148. TIMEOUT = 2
  1149. conf.verb = 0
  1150. for ip in range(0, 256):
  1151. packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
  1152. reply = sr1(packet, timeout=TIMEOUT)
  1153. if not (reply is None):
  1154. print reply.dst, "is online"
  1155. else:
  1156. print "Timeout waiting for %s" % packet[IP].dst
  1157. ----------------------------------------------------------------------
  1158.  
  1159.  
  1160. ###############################################
  1161. # Checking out some scapy based port scanners #
  1162. ###############################################
  1163.  
  1164. wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
  1165.  
  1166. cat rdp_scan.py
  1167.  
  1168. sudo python rdp_scan.py 192.168.1.250
  1169.  
  1170.  
  1171.  
  1172. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  1173.  
  1174. After logging please open a terminal window and type the following commands:
  1175.  
  1176. cd Desktop/
  1177.  
  1178.  
  1179. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  1180.  
  1181. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1182. wget http://www.beenuarora.com/code/analyse_malware.py
  1183.  
  1184. unzip malware-password-is-infected.zip
  1185. infected
  1186.  
  1187. file malware.exe
  1188.  
  1189. mv malware.exe malware.pdf
  1190.  
  1191. file malware.pdf
  1192.  
  1193. mv malware.pdf malware.exe
  1194.  
  1195. hexdump -n 2 -C malware.exe
  1196.  
  1197. ***What is '4d 5a' or 'MZ'***
  1198. Reference: http://www.garykessler.net/library/file_sigs.html
  1199.  
  1200.  
  1201. objdump -x malware.exe
  1202.  
  1203. strings malware.exe
  1204.  
  1205. strings --all malware.exe | head -n 6
  1206.  
  1207. strings malware.exe | grep -i dll
  1208.  
  1209. strings malware.exe | grep -i library
  1210.  
  1211. strings malware.exe | grep -i reg
  1212.  
  1213. strings malware.exe | grep -i hkey
  1214.  
  1215. strings malware.exe | grep -i hku
  1216.  
  1217. - We didn't see anything like HKLM, HKCU or other registry type stuff
  1218.  
  1219. strings malware.exe | grep -i irc
  1220.  
  1221. strings malware.exe | grep -i join
  1222.  
  1223. strings malware.exe | grep -i admin
  1224.  
  1225. strings malware.exe | grep -i list
  1226.  
  1227.  
  1228. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  1229. sudo apt-get install -y python-pefile
  1230.  
  1231. vi analyse_malware.py
  1232.  
  1233. python analyse_malware.py malware.exe
  1234.  
  1235.  
  1236. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  1237. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  1238.  
  1239.  
  1240. Malware Repositories:
  1241. http://malshare.com/index.php
  1242. http://www.malwareblacklist.com/
  1243. http://www.virusign.com/
  1244. http://virusshare.com/
  1245. http://www.tekdefense.com/downloads/malware-samples/
  1246.  
  1247. ###############################
  1248. # Creating a Malware Database #
  1249. ###############################
  1250.  
  1251. Creating a malware database (sqlite)
  1252. ------------------------------------
  1253. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1254. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1255. unzip malware-password-is-infected.zip
  1256. infected
  1257. python avsubmit.py --init
  1258. python avsubmit.py -f malware.exe -e
  1259.  
  1260.  
  1261.  
  1262.  
  1263.  
  1264. Creating a malware database (mysql)
  1265. -----------------------------------
  1266. Step 1: Installing MySQL database
  1267. Run the following command in the terminal:
  1268.  
  1269. sudo apt-get install mysql-server
  1270.  
  1271. Step 2: Installing Python MySQLdb module
  1272. Run the following command in the terminal:
  1273.  
  1274. sudo apt-get build-dep python-mysqldb
  1275. sudo apt-get install python-mysqldb
  1276.  
  1277. Step 3: Logging in
  1278. Run the following command in the terminal:
  1279.  
  1280. mysql -u root -p (set a password of 'malware')
  1281.  
  1282. Then create one database by running following command:
  1283.  
  1284. create database malware;
  1285.  
  1286.  
  1287.  
  1288. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1289.  
  1290. vi mal_to_db.py -i (fill in database connection information)
  1291.  
  1292. python mal_to_db.py -i
  1293.  
  1294. python mal_to_db.py -i -f malware.exe -u
  1295.  
  1296.  
  1297. mysql -u root -p
  1298. malware
  1299.  
  1300. mysql> use malware;
  1301.  
  1302. select id,md5,sha1,sha256,time FROM files;
  1303.  
  1304. mysql> quit;
  1305.  
  1306.  
  1307.  
  1308.  
  1309.  
  1310. ##############################
  1311. # Lesson 32: Setting up Yara #
  1312. ##############################
  1313.  
  1314.  
  1315. sudo apt-get install clamav clamav-freshclam
  1316.  
  1317. sudo freshclam
  1318.  
  1319. sudo Clamscan
  1320.  
  1321. sudo apt-get install libpcre3 libpcre3-dev
  1322.  
  1323. wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
  1324.  
  1325. wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
  1326.  
  1327. tar -zxvf v3.1.0.tar.gz
  1328.  
  1329. cd yara-3.1.0/
  1330.  
  1331. ./bootstrap.sh
  1332.  
  1333. ./configure
  1334.  
  1335. make
  1336.  
  1337. make check
  1338.  
  1339. sudo make install
  1340.  
  1341. cd yara-python/
  1342.  
  1343. python setup.py build
  1344.  
  1345. sudo python setup.py install
  1346.  
  1347. cd ..
  1348.  
  1349. yara -v
  1350.  
  1351. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  1352.  
  1353. sigtool -u /var/lib/clamav/main.cvd
  1354.  
  1355. python clamav_to_yara.py -f main.ndb -o clamav.yara
  1356.  
  1357. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1358.  
  1359. unzip malware-password-is-infected.zip
  1360. infected
  1361.  
  1362. mkdir malcode/
  1363.  
  1364. mv malware.exe malcode/
  1365.  
  1366. vi testrule.yara
  1367. ----------------
  1368. rule IsPE
  1369. {
  1370. meta:
  1371. description = "Windows executable file"
  1372.  
  1373. condition:
  1374. // MZ signature at offset 0 and ...
  1375. uint16(0) == 0x5A4D and
  1376. // ... PE signature at offset stored in MZ header at 0x3C
  1377. uint32(uint32(0x3C)) == 0x00004550
  1378. }
  1379.  
  1380. rule has_no_DEP
  1381. {
  1382. meta:
  1383. description = "DEP is not enabled"
  1384.  
  1385. condition:
  1386. IsPE and
  1387. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  1388. }
  1389.  
  1390. rule has_no_ASLR
  1391. {
  1392. meta:
  1393. description = "ASLR is not enabled"
  1394.  
  1395. condition:
  1396. IsPE and
  1397. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  1398. }
  1399. ----------------
  1400.  
  1401.  
  1402. yara testrule.yara malcode/malware.exe
  1403.  
  1404. mkdir rules/
  1405.  
  1406. cd rules/
  1407.  
  1408. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  1409.  
  1410. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  1411.  
  1412. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  1413.  
  1414. cd ..
  1415.  
  1416. yara rules/ malcode/malware.exe
  1417.  
  1418. wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
  1419.  
  1420. unzip master.zip
  1421.  
  1422. cd YaraGenerator-master/
  1423.  
  1424. python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
  1425.  
  1426. cat Test-Rule-2.yar
  1427.  
  1428. wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  1429.  
  1430. yara Test-Rule-2.yar putty.exe
  1431.  
  1432.  
  1433.  
  1434.  
  1435. ####################
  1436. # Additional Tasks #
  1437. ####################
  1438.  
  1439. - PE Scanner:
  1440. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  1441. http://www.beenuarora.com/code/analyse_malware.py
  1442.  
  1443. - AV submission:
  1444. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1445. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  1446.  
  1447. - Malware Database Creation:
  1448. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1449.  
  1450.  
  1451.  
  1452.  
  1453. cd /home/malware/Desktop/Browser\ Forensics
  1454.  
  1455. ls | grep pcap
  1456.  
  1457. perl chaosreader.pl suspicious-time.pcap
  1458.  
  1459. firefox index.html
  1460.  
  1461. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1462.  
  1463. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1464.  
  1465. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  1466.  
  1467.  
  1468.  
  1469.  
  1470. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1471.  
  1472.  
  1473. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1474.  
  1475.  
  1476. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1477.  
  1478.  
  1479. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1480.  
  1481.  
  1482. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  1483.  
  1484.  
  1485. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1486.  
  1487. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1488.  
  1489. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1490.  
  1491. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1492.  
  1493. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1494.  
  1495.  
  1496. whois rapidshare.com.eyu32.ru
  1497.  
  1498. whois sploitme.com.cn
  1499.  
  1500.  
  1501.  
  1502.  
  1503.  
  1504. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1505.  
  1506. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1507.  
  1508. tshark -r suspicious-time.pcap -qz http_req,tree
  1509.  
  1510. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1511.  
  1512. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1513.  
  1514.  
  1515.  
  1516.  
  1517.  
  1518. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  1519.  
  1520. python volatility
  1521. python volatility pslist -f ../hn_forensics.vmem
  1522. python volatility connscan2 -f ../hn_forensics.vmem
  1523. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  1524. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  1525. ***Takes a few min***
  1526. strings 1752.dmp | grep "^http://" | sort | uniq
  1527. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1528. cd ..
  1529. cd foremost-1.5.7/
  1530. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  1531. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  1532. cat audit.txt
  1533. cd pdf
  1534. ls
  1535. grep -i javascript *.pdf
  1536.  
  1537.  
  1538.  
  1539. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  1540. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1541. unzip pdf-parser_V0_6_4.zip
  1542. python pdf-parser.py -s javascript --raw 00600328.pdf
  1543. python pdf-parser.py --object 11 00600328.pdf
  1544. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  1545.  
  1546. cat malicious.js
  1547.  
  1548.  
  1549. *****Sorry - no time to cover javascript de-obfuscation today*****
  1550.  
  1551.  
  1552. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  1553. python volatility files -f ../hn_forensics.vmem > files
  1554. cat files | less
  1555. python volatility malfind -f ../hn_forensics.vmem -d out
  1556. ls out/
  1557. python volatility hivescan -f ../hn_forensics.vmem
  1558. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1559. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement