Advertisement
joemccray

Network+

May 7th, 2019
903
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.26 KB | None | 0 0
  1. ##################################################
  2. # Configuring the EIGRP dynamic routing protocol #
  3. ##################################################
  4. https://www.net-refresh.com/routing3.html
  5.  
  6. 1. On Router1 configure the following interfaces with IP addresses:
  7. ? f0/0 with IP address 10.0.0.1/24
  8. ? s0/0 with IP address 1.0.0.1/30
  9. ? s0/1 with IP address 2.0.0.1/30
  10.  
  11. -----Type these commands on router 1----
  12. enable
  13. configure terminal
  14. interface f0/0
  15. ip address 10.0.0.1 255.255.255.0
  16. no shutdown
  17. interface s0/0
  18. ip address 1.0.0.1 255.255.255.252
  19. no shutdown
  20. interface s0/1
  21. ip address 2.0.0.1 255.255.255.252
  22. no shutdown
  23. ----------------------------------------
  24.  
  25.  
  26. 2. On Router2 configure the following interfaces with IP addresses:
  27. ? f0/0 with IP address 20.0.0.1/24
  28. ? f0/1 with IP address 4.0.0.1/30
  29. ? s0/0 with IP address 1.0.0.2/30
  30. ? s0/1 with IP address 3.0.0.1/30
  31.  
  32. -----Type these commands on router 2----
  33. enable
  34. configure terminal
  35. interface f0/0
  36. ip address 20.0.0.1 255.255.255.0
  37. no shutdown
  38. interface f0/1
  39. ip address 4.0.0.1 255.255.255.252
  40. no shutdown
  41. interface s0/0
  42. ip address 1.0.0.2 255.255.255.252
  43. no shutdown
  44. interface s0/1
  45. ip address 3.0.0.1 255.255.255.252
  46. no shutdown
  47. ----------------------------------------
  48.  
  49. 3. On Router3 configure the following interfaces with IP addresses:
  50. ? f0/0 with IP address 30.0.0.1/24
  51. ? s0/0 with IP address 3.0.0.2/30
  52. ? s0/1 with IP address 2.0.0.2/30
  53.  
  54.  
  55. -----Type these commands on router 3----
  56. enable
  57. configure terminal
  58. interface f0/0
  59. ip address 30.0.0.1 255.255.255.0
  60. no shutdown
  61. interface s0/0
  62. ip address 3.0.0.2 255.255.255.252
  63. no shutdown
  64. interface s0/1
  65. ip address 2.0.0.2 255.255.255.252
  66. no shutdown
  67. ----------------------------------------
  68.  
  69. 4. On Router4 configure the following interfaces with IP addresses:
  70. ? f0/0 with IP address 40.0.0.1/24
  71. ? f0/1 with IP address 4.0.0.2/30
  72.  
  73.  
  74. -----Type these commands on router 4----
  75. enable
  76. configure terminal
  77. interface f0/0
  78. ip address 40.0.0.1 255.255.255.0
  79. no shutdown
  80. interface f0/1
  81. ip address 4.0.0.2 255.255.255.252
  82. no shutdown
  83. ----------------------------------------
  84.  
  85. 5. On Router1 configure EIGRP to achieve the following requirements:
  86. ? Autonomous system 10
  87. ? Auto route summarization disabled
  88. ? All attached networks should be advertised
  89. ? No EIGRP routing updates should be sent towards Host1
  90.  
  91. -----Type these commands on router 1----
  92. enable
  93. configure terminal
  94. router eigrp 10
  95. network no auto-summary
  96. network 1.0.0.0 0.0.0.3
  97. network 2.0.0.0 0.0.0.3
  98. exit
  99. ----------------------------------------
  100.  
  101.  
  102. 6. On Router2 configure EIGRP to achieve the following requirements:
  103. ?Autonomous system 10
  104. ? Auto route summarization disabled
  105. ? All attached networks should be advertised
  106. ? No EIGRP routing updates should be sent towards Host2
  107.  
  108. -----Type these commands on router 2----
  109. enable
  110. configure terminal
  111. router eigrp 10
  112. network no auto-summary
  113. network 4.0.0.0 0.0.0.3
  114. network 1.0.0.0 0.0.0.3
  115. network 3.0.0.0 0.0.0.3
  116. exit
  117. ----------------------------------------
  118.  
  119. 7. On Router3 configure EIGRP to achieve the following requirements:
  120. ?Autonomous system 10
  121. ? Auto route summarization disabled
  122. ? All attached networks should be advertised
  123. ? No EIGRP routing updates should be sent towards Host3
  124.  
  125. -----Type these commands on router 1----
  126. enable
  127. configure terminal
  128. router eigrp 10
  129. network no auto-summary
  130. network 3.0.0.0 0.0.0.3
  131. network 2.0.0.0 0.0.0.3
  132. exit
  133. ----------------------------------------
  134.  
  135. 8. On Router4 configure EIGRP to achieve the following requirements:
  136. ?Autonomous system 10
  137. ? Auto route summarization disabled
  138. ? All attached networks should be advertised
  139. ? No EIGRP routing updates should be sent towards Host4
  140.  
  141. -----Type these commands on router 1----
  142. enable
  143. configure terminal
  144. router eigrp 10
  145. network no auto-summary
  146. network 4.0.0.0 0.0.0.3
  147. exit
  148. ----------------------------------------
  149.  
  150.  
  151. #########################
  152. # Connect to the server #
  153. #########################
  154.  
  155. Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
  156.  
  157. You can download Putty from here:
  158. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  159.  
  160.  
  161. IP Address: 144.202.37.49
  162. Protocol: ssh
  163. Port: 22
  164. username: np
  165. password:
  166.  
  167.  
  168. ########################
  169. # Basic Linux Commands #
  170. ########################
  171.  
  172. ---------------------------Type the following commands-----------------------------------
  173. cd ~
  174.  
  175. mkdir yourname <--- NOTE: Be sure not to create a directory literally called 'yourname'. It should be your first name in all lower case
  176.  
  177. cd yourname <--- Note: Homework will be double tonight if I see a directory called 'yourname' on this server
  178.  
  179. pwd
  180.  
  181. whereis pwd
  182.  
  183. which pwd
  184.  
  185. sudo find / -name pwd
  186.  
  187. /bin/pwd
  188.  
  189. mkdir LinuxBasics
  190.  
  191. cd LinuxBasics
  192.  
  193. touch one two three
  194.  
  195. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  196.  
  197. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  198.  
  199. Press the 'Up arrow key' (What happens?)
  200.  
  201. Press 'Ctrl-A' (What happens?)
  202.  
  203. ls
  204.  
  205. clear (What happens?)
  206.  
  207. echo one > one
  208.  
  209. cat one (What happens?)
  210.  
  211. man cat (What happens?)
  212. q
  213.  
  214. cat two
  215.  
  216. cat one > two
  217.  
  218. cat two
  219.  
  220. cat one two > three
  221.  
  222. cat three
  223.  
  224. echo four >> three
  225.  
  226. cat three (What happens?)
  227.  
  228. wc -l three
  229.  
  230. man wc
  231. q
  232.  
  233. cat three | grep four
  234.  
  235. cat three | grep one
  236.  
  237. man grep
  238. q
  239.  
  240.  
  241. man ps
  242. q
  243.  
  244. ps
  245.  
  246. ps aux
  247.  
  248. ps aux | less
  249.  
  250. Press the 'Up arrow key' (What happens?)
  251.  
  252. Press the 'Down arrow key' (What happens?)
  253. q
  254.  
  255. top
  256. q
  257. -----------------------------------------------------------------------------------------
  258.  
  259.  
  260.  
  261.  
  262.  
  263. #########
  264. # Files #
  265. #########
  266.  
  267. ---------------------------Type the following commands-----------------------------------
  268.  
  269. cd ~/yourname
  270.  
  271. pwd
  272.  
  273. ls
  274.  
  275. cd LinuxBasics
  276.  
  277. pwd
  278.  
  279. cd ~
  280.  
  281. pwd
  282.  
  283. cd LinuxBasics
  284.  
  285. ls
  286.  
  287. mkdir files
  288.  
  289. cp one files/
  290.  
  291. ls files/
  292.  
  293. cd files/
  294.  
  295. cp ../two .
  296.  
  297. ls
  298.  
  299. cp ../three .
  300.  
  301. ls
  302.  
  303. tar cvf files.tar *
  304.  
  305. ls
  306.  
  307. gzip files.tar
  308.  
  309. ls
  310.  
  311. rm -rf one two three
  312.  
  313. ls
  314.  
  315. tar -zxvf files.tar.gz
  316.  
  317. rm -rf files.tar.gz
  318.  
  319. sudo apt-get install -y zip unzip
  320.  
  321. zip data *
  322.  
  323. unzip -l data.zip
  324.  
  325. unzip data.zip -d /tmp
  326.  
  327. unzip -l data.zip
  328. -----------------------------------------------------------------------------------------
  329.  
  330.  
  331.  
  332.  
  333. ########################
  334. # Scanning Methodology #
  335. ########################
  336.  
  337. - Ping Sweep
  338. What's alive?
  339. ------------
  340.  
  341. ---------------------------Type this command-----------------------------------
  342. sudo nmap -sP 157.166.226.*
  343.  
  344. -------------------------------------------------------------------------------
  345.  
  346.  
  347.  
  348. -if -SP yields no results try:
  349. ---------------------------Type this command-----------------------------------
  350. sudo nmap -sL 157.166.226.*
  351.  
  352. -------------------------------------------------------------------------------
  353.  
  354.  
  355.  
  356. -Look for hostnames:
  357. ---------------------------Type this command-----------------------------------
  358. sudo nmap -sL 157.166.226.* | grep cnn
  359.  
  360. -------------------------------------------------------------------------------
  361.  
  362.  
  363.  
  364. - Port Scan
  365. What's where?
  366. ------------
  367. ---------------------------Type this command-----------------------------------
  368. sudo nmap -sS 162.243.126.247
  369.  
  370. -------------------------------------------------------------------------------
  371.  
  372.  
  373.  
  374. - Bannergrab/Version Query
  375. What versions of software are running
  376. -------------------------------------
  377.  
  378. ---------------------------Type this command-----------------------------------
  379. sudo nmap -sV 162.243.126.247
  380.  
  381. -------------------------------------------------------------------------------
  382.  
  383.  
  384.  
  385.  
  386. - Vulnerability Research
  387. Lookup the banner versions for public exploits
  388. ----------------------------------------------
  389. https://www.exploit-db.com/search
  390. http://securityfocus.com/bid
  391. https://packetstormsecurity.com/files/tags/exploit/
  392.  
  393.  
  394.  
  395.  
  396.  
  397.  
  398.  
  399.  
  400.  
  401. ##############################################
  402. # Log Analysis with Linux command-line tools #
  403. ##############################################
  404. The following command line executables are found in the Mac as well as most Linux Distributions.
  405.  
  406. cat – prints the content of a file in the terminal window
  407.  
  408. grep – searches and filters based on patterns
  409.  
  410. awk – can sort each row into fields and display only what is needed
  411.  
  412. sed – performs find and replace functions
  413.  
  414. sort – arranges output in an order
  415.  
  416. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  417.  
  418.  
  419.  
  420.  
  421.  
  422.  
  423.  
  424. ##############
  425. # Cisco Logs #
  426. ##############
  427.  
  428. ---------------------------Type this command-----------------------------------
  429. wget http://45.63.104.73/cisco.log
  430. -------------------------------------------------------------------------------
  431.  
  432.  
  433.  
  434.  
  435.  
  436.  
  437. AWK Basics
  438. ----------
  439. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  440.  
  441. -----------------------------Type this-----------------------------------------
  442. cat cisco.log | awk '{print $5}' | tail -n 4
  443. -------------------------------------------------------------------------------
  444.  
  445.  
  446.  
  447. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  448.  
  449. -----------------------------Type this-----------------------------------------
  450. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  451. -------------------------------------------------------------------------------
  452.  
  453.  
  454.  
  455. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  456.  
  457. -----------------------------Type this-----------------------------------------
  458. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  459. -------------------------------------------------------------------------------
  460.  
  461.  
  462.  
  463.  
  464. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  465.  
  466. ---------------------------Type the following commands-----------------------------------
  467. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  468.  
  469. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  470.  
  471. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  472.  
  473. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  474.  
  475. ------------------------------------------------------------------------------------------
  476.  
  477.  
  478.  
  479.  
  480.  
  481. ################
  482. # The Scenario #
  483. ################
  484. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  485.  
  486.  
  487. The fastest thing you can do is perform static analysis.
  488.  
  489.  
  490.  
  491. ###################
  492. # Static Analysis #
  493. ###################
  494.  
  495. - After logging please open a terminal window and type the following commands:
  496.  
  497.  
  498. ---------------------------Type the following commands-----------------------------------
  499. cd ~/yourname
  500.  
  501. wget http://45.63.104.73/wannacry.zip
  502.  
  503. unzip wannacry.zip
  504. infected
  505.  
  506. file wannacry.exe
  507.  
  508. mv wannacry.exe malware.pdf
  509.  
  510. file malware.pdf
  511.  
  512. mv malware.pdf wannacry.exe
  513.  
  514. hexdump -n 2 -C wannacry.exe
  515.  
  516. ----------------------------------------------------------------------------------------
  517.  
  518.  
  519. ***What is '4d 5a' or 'MZ'***
  520. Reference:
  521. http://www.garykessler.net/library/file_sigs.html
  522.  
  523.  
  524.  
  525.  
  526.  
  527.  
  528.  
  529. ---------------------------Type the following commands-----------------------------------
  530. objdump -x wannacry.exe
  531.  
  532. objdump -x wannacry.exe | less
  533. q
  534.  
  535. strings wannacry.exe
  536.  
  537. strings wannacry.exe | grep -i dll
  538.  
  539. strings wannacry.exe | grep -i library
  540.  
  541. strings wannacry.exe | grep -i reg
  542.  
  543. strings wannacry.exe | grep -i key
  544.  
  545. strings wannacry.exe | grep -i rsa
  546.  
  547. strings wannacry.exe | grep -i open
  548.  
  549. strings wannacry.exe | grep -i get
  550.  
  551. strings wannacry.exe | grep -i mutex
  552.  
  553. strings wannacry.exe | grep -i irc
  554.  
  555. strings wannacry.exe | grep -i join
  556.  
  557. strings wannacry.exe | grep -i admin
  558.  
  559. strings wannacry.exe | grep -i list
  560. ----------------------------------------------------------------------------------------
  561.  
  562.  
  563.  
  564. Quick Google search for "wannacry ransomeware analysis"
  565.  
  566.  
  567. Reference
  568. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  569.  
  570.  
  571. - Yara Rule -
  572.  
  573.  
  574. Strings:
  575. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  576. $s2 = “Wanna Decryptor” wide ascii nocase
  577. $s3 = “.wcry” wide ascii nocase
  578. $s4 = “WANNACRY” wide ascii nocase
  579. $s5 = “WANACRY!” wide ascii nocase
  580. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  581.  
  582.  
  583.  
  584.  
  585.  
  586.  
  587.  
  588.  
  589. Ok, let's look for the individual strings
  590.  
  591.  
  592. ---------------------------Type the following commands-----------------------------------
  593. strings wannacry.exe | grep -i ooops
  594.  
  595. strings wannacry.exe | grep -i wanna
  596.  
  597. strings wannacry.exe | grep -i wcry
  598.  
  599. strings wannacry.exe | grep -i wannacry
  600.  
  601. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  602.  
  603. strings wannacry.exe | grep -i icacls **** Matches $s5, hmmm.....
  604.  
  605.  
  606. ----------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement