Network+

##################################################
# Configuring the EIGRP dynamic routing protocol #
##################################################
https://www.net-refresh.com/routing3.html

1. On Router1 configure the following interfaces with IP addresses:
? f0/0 with IP address 10.0.0.1/24
? s0/0 with IP address 1.0.0.1/30
? s0/1 with IP address 2.0.0.1/30

-----Type these commands on router 1----
enable
configure terminal
   interface f0/0
     ip address 10.0.0.1 255.255.255.0
     no shutdown
   interface s0/0
     ip address 1.0.0.1 255.255.255.252
     no shutdown
   interface s0/1
     ip address 2.0.0.1 255.255.255.252
     no shutdown
----------------------------------------


2. On Router2 configure the following interfaces with IP addresses:
? f0/0 with IP address 20.0.0.1/24
? f0/1 with IP address 4.0.0.1/30
? s0/0 with IP address 1.0.0.2/30
? s0/1 with IP address 3.0.0.1/30

-----Type these commands on router 2----
enable
configure terminal
   interface f0/0
     ip address 20.0.0.1 255.255.255.0
     no shutdown
   interface f0/1
     ip address 4.0.0.1 255.255.255.252
     no shutdown
   interface s0/0
     ip address 1.0.0.2 255.255.255.252
     no shutdown
   interface s0/1
     ip address 3.0.0.1 255.255.255.252
     no shutdown
----------------------------------------

3. On Router3 configure the following interfaces with IP addresses:
? f0/0 with IP address 30.0.0.1/24
? s0/0 with IP address 3.0.0.2/30
? s0/1 with IP address 2.0.0.2/30


-----Type these commands on router 3----
enable
configure terminal
   interface f0/0
     ip address 30.0.0.1 255.255.255.0
     no shutdown
   interface s0/0
     ip address 3.0.0.2 255.255.255.252
     no shutdown
   interface s0/1
     ip address 2.0.0.2 255.255.255.252
     no shutdown
----------------------------------------

4. On Router4 configure the following interfaces with IP addresses:
? f0/0 with IP address 40.0.0.1/24
? f0/1 with IP address 4.0.0.2/30


-----Type these commands on router 4----
enable
configure terminal
   interface f0/0
     ip address 40.0.0.1 255.255.255.0
     no shutdown
   interface f0/1
     ip address 4.0.0.2 255.255.255.252
     no shutdown
----------------------------------------

5. On Router1 configure EIGRP to achieve the following requirements:
? Autonomous system 10
? Auto route summarization disabled
? All attached networks should be advertised
? No EIGRP routing updates should be sent towards Host1

-----Type these commands on router 1----
enable
configure terminal
   router eigrp 10
     network no auto-summary
     network 1.0.0.0 0.0.0.3
     network 2.0.0.0 0.0.0.3
     exit
----------------------------------------


6. On Router2 configure EIGRP to achieve the following requirements:
 ?Autonomous system 10
? Auto route summarization disabled
? All attached networks should be advertised
? No EIGRP routing updates should be sent towards Host2

-----Type these commands on router 2----
enable
configure terminal
   router eigrp 10
     network no auto-summary
     network 4.0.0.0 0.0.0.3
     network 1.0.0.0 0.0.0.3
     network 3.0.0.0 0.0.0.3
     exit
----------------------------------------

7. On Router3 configure EIGRP to achieve the following requirements:
?Autonomous system 10
? Auto route summarization disabled
? All attached networks should be advertised
? No EIGRP routing updates should be sent towards Host3

-----Type these commands on router 1----
enable
configure terminal
   router eigrp 10
     network no auto-summary
     network 3.0.0.0 0.0.0.3
     network 2.0.0.0 0.0.0.3
     exit
----------------------------------------

8. On Router4 configure EIGRP to achieve the following requirements:
?Autonomous system 10
? Auto route summarization disabled
? All attached networks should be advertised
? No EIGRP routing updates should be sent towards Host4

-----Type these commands on router 1----
enable
configure terminal
   router eigrp 10
     network no auto-summary
     network 4.0.0.0 0.0.0.3
     exit
----------------------------------------


#########################
# Connect to the server #
#########################

Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.

You can download Putty from here:
http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe


IP Address:     	144.202.37.49
Protocol:           	ssh
Port:               	22
username:           	np
password:


########################
# Basic Linux Commands #
########################

---------------------------Type the following commands-----------------------------------
cd ~

mkdir yourname			<--- NOTE: Be sure not to create a directory literally called 'yourname'. It should be your first name in all lower case

cd yourname			<--- Note: Homework will be double tonight if I see a directory called 'yourname' on this server

pwd

whereis pwd

which pwd

sudo find / -name pwd

/bin/pwd

mkdir LinuxBasics

cd LinuxBasics

touch one two three

ls -l t     			(without pressing the Enter key, press the Tab key twice. What happens?)

h       			(and again without pressing the Enter key, press the Tab key twice. What happens?)

Press the 'Up arrow key'    	(What happens?)

Press 'Ctrl-A'          	(What happens?)

ls

clear               		(What happens?)

echo one > one

cat one             		(What happens?)

man cat             		(What happens?)
    q

cat two

cat one > two

cat two

cat one two > three

cat three

echo four >> three

cat three           		(What happens?)

wc -l three

man wc
    q

cat three | grep four

cat three | grep one

man grep
    q


man ps
    q

ps

ps aux

ps aux | less

Press the 'Up arrow key'    (What happens?)

Press the 'Down arrow key'  (What happens?)
    q

top
    q
-----------------------------------------------------------------------------------------


#########
# Files #
#########

---------------------------Type the following commands-----------------------------------

cd ~/yourname

pwd

ls

cd LinuxBasics

pwd

cd ~

pwd

cd LinuxBasics

ls

mkdir files

cp one files/

ls files/

cd files/

cp ../two .

ls

cp ../three .

ls

tar cvf files.tar *

ls

gzip files.tar

ls

rm -rf one two three

ls

tar -zxvf files.tar.gz

rm -rf files.tar.gz

sudo apt-get install -y zip unzip

zip data *

unzip -l data.zip

unzip data.zip -d /tmp

unzip -l data.zip
-----------------------------------------------------------------------------------------


########################
# Scanning Methodology #
########################

- Ping Sweep
What's alive?
------------

---------------------------Type this command-----------------------------------
sudo nmap -sP 157.166.226.*

-------------------------------------------------------------------------------


    -if -SP yields no results try:
---------------------------Type this command-----------------------------------
sudo nmap -sL 157.166.226.*

-------------------------------------------------------------------------------


    -Look for hostnames:
---------------------------Type this command-----------------------------------
sudo nmap -sL 157.166.226.* | grep cnn

-------------------------------------------------------------------------------


- Port Scan
What's where?
------------
---------------------------Type this command-----------------------------------
sudo nmap -sS 162.243.126.247

-------------------------------------------------------------------------------


- Bannergrab/Version Query
What versions of software are running
-------------------------------------

---------------------------Type this command-----------------------------------
sudo nmap -sV 162.243.126.247

-------------------------------------------------------------------------------


- Vulnerability Research
Lookup the banner versions for public exploits
----------------------------------------------
https://www.exploit-db.com/search
http://securityfocus.com/bid
https://packetstormsecurity.com/files/tags/exploit/


##############################################
# Log Analysis with Linux command-line tools #
##############################################
The following command line executables are found in the Mac as well as most Linux Distributions.

cat –  prints the content of a file in the terminal window

grep – searches and filters based on patterns

awk –  can sort each row into fields and display only what is needed

sed –  performs find and replace functions

sort – arranges output in an order

uniq – compares adjacent lines and can report, filter or provide a count of duplicates


##############
# Cisco Logs #
##############

---------------------------Type this command-----------------------------------
wget http://45.63.104.73/cisco.log
-------------------------------------------------------------------------------


AWK Basics
----------
To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.

-----------------------------Type this-----------------------------------------
cat cisco.log | awk '{print $5}' | tail -n 4
-------------------------------------------------------------------------------


Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.

-----------------------------Type this-----------------------------------------
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
-------------------------------------------------------------------------------


While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.

-----------------------------Type this-----------------------------------------
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
-------------------------------------------------------------------------------


Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.

---------------------------Type the following commands-----------------------------------
cat cisco.log | grep %LINEPROTO-5-UPDOWN:

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn

------------------------------------------------------------------------------------------


################
# The Scenario #
################
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).


The fastest thing you can do is perform static analysis.


###################
# Static Analysis #
###################

- After logging please open a terminal window and type the following commands:


---------------------------Type the following commands-----------------------------------
cd ~/yourname

wget http://45.63.104.73/wannacry.zip

unzip wannacry.zip
     infected

file wannacry.exe

mv wannacry.exe malware.pdf

file malware.pdf

mv malware.pdf wannacry.exe

hexdump -n 2 -C wannacry.exe

----------------------------------------------------------------------------------------


***What is '4d 5a' or 'MZ'***
Reference:
http://www.garykessler.net/library/file_sigs.html


---------------------------Type the following commands-----------------------------------
objdump -x wannacry.exe

objdump -x wannacry.exe | less
     q

strings wannacry.exe

strings wannacry.exe | grep -i dll

strings wannacry.exe | grep -i library

strings wannacry.exe | grep -i reg

strings wannacry.exe | grep -i key

strings wannacry.exe | grep -i rsa

strings wannacry.exe | grep -i open

strings wannacry.exe | grep -i get

strings wannacry.exe | grep -i mutex

strings wannacry.exe | grep -i irc

strings wannacry.exe | grep -i join

strings wannacry.exe | grep -i admin

strings wannacry.exe | grep -i list
----------------------------------------------------------------------------------------


Quick Google search for "wannacry ransomeware analysis"


Reference
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/


- Yara Rule -


Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase


Ok, let's look for the individual strings


---------------------------Type the following commands-----------------------------------
strings wannacry.exe | grep -i ooops

strings wannacry.exe | grep -i wanna

strings wannacry.exe | grep -i wcry

strings wannacry.exe | grep -i wannacry

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....

strings wannacry.exe | grep -i icacls		**** Matches $s5, hmmm.....


----------------------------------------------------------------------------------------