joemccray

Command-Line Packet Analysis/Network Forensics V2

Sep 27th, 2018
808
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##########
  2. # VMWare #
  3. ##########
  4. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  5.  
  6. - http://www.vmware.com/ap/products/player.html
  7.  
  8.  
  9. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  10.  
  11.  
  12.  
  13. #########################
  14. # Class Virtual Machine #
  15. #########################
  16.  
  17.  
  18. Here is the VMWare virtual machine for the class:
  19.  
  20. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  21. user: infosecaddicts
  22. pass: infosecaddicts
  23.  
  24.  
  25.  
  26. ###################################
  27. # Setting up your virtual machine #
  28. # Note: run as root user #
  29. ###################################
  30.  
  31.  
  32. Here is where we will setup all of the required dependencies for the tools we plan to install
  33. ---------------------------Type This-----------------------------------
  34. apt update
  35. apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq
  36. -----------------------------------------------------------------------
  37.  
  38.  
  39.  
  40.  
  41. Now we install Suricata
  42. ---------------------------Type This-----------------------------------
  43. wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
  44.  
  45. tar -zxvf suricata-4.0.5.tar.gz
  46.  
  47. cd suricata-4.0.5
  48.  
  49. ./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
  50.  
  51. make
  52.  
  53. make install
  54.  
  55. make install-conf
  56.  
  57. cd rules
  58.  
  59. cp *.rules /etc/suricata/rules/
  60.  
  61. cd /etc/suricata/
  62.  
  63. wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
  64.  
  65. tar -zxvf emerging.rules.tar.gz
  66. -----------------------------------------------------------------------
  67.  
  68.  
  69.  
  70.  
  71.  
  72. ##################################################################
  73. # Analyzing a PCAP Prads #
  74. # Note: run as regular user #
  75. ##################################################################
  76.  
  77. ---------------------------Type This-----------------------------------
  78. cd ~
  79.  
  80. mkdir pcap_analysis/
  81.  
  82. cd ~/pcap_analysis/
  83.  
  84. mkdir prads
  85.  
  86. cd ~/pcap_analysis/prads
  87.  
  88. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  89.  
  90. prads -r suspicious-time.pcap -l prads-asset.log
  91.  
  92. cat prads-asset.log | less
  93.  
  94. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  95.  
  96. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  97.  
  98. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  99. -----------------------------------------------------------------------
  100.  
  101.  
  102.  
  103.  
  104. ##################################
  105. # PCAP Analysis with ChaosReader #
  106. # Note: run as regular user #
  107. ##################################
  108. ---------------------------Type This-----------------------------------
  109. cd ~
  110.  
  111. mkdir -p pcap_analysis/chaos_reader/
  112.  
  113. cd ~/pcap_analysis/chaos_reader/
  114.  
  115. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  116.  
  117. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
  118.  
  119. perl chaosreader.pl suspicious-time.pcap
  120.  
  121. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  122.  
  123. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  124.  
  125.  
  126. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  127.  
  128. python -m SimpleHTTPServer
  129. ****** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page *****
  130.  
  131. ------------------------------------------------------------------------
  132.  
  133.  
  134.  
  135.  
  136.  
  137.  
  138.  
  139.  
  140. #############################
  141. # PCAP Analysis with tshark #
  142. # Note: run as regular user #
  143. #############################
  144. ---------------------------Type This-----------------------------------
  145. cd ~/pcap_analysis/
  146.  
  147. mkdir tshark
  148.  
  149. cd ~/pcap_analysis/tshark
  150.  
  151. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  152.  
  153. tshark -i ens3 -r suspicious-time.pcap -qz io,phs
  154.  
  155. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  156.  
  157. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  158.  
  159. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  160.  
  161.  
  162. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  163.  
  164. whois rapidshare.com.eyu32.ru
  165.  
  166. whois sploitme.com.cn
  167.  
  168. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  169.  
  170. tshark -r suspicious-time.pcap -qz http_req,tree
  171.  
  172. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  173.  
  174. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  175. ------------------------------------------------------------------------
  176.  
  177.  
  178.  
  179.  
  180.  
  181.  
  182.  
  183. ###############################
  184. # PCAP Analysis with Suricata #
  185. # Note: run as root #
  186. ###############################
  187. ---------------------------Type This-----------------------------------
  188. cd /home/joe/pcap_analysis/
  189.  
  190. mkdir suricata
  191.  
  192. cd suricata/
  193.  
  194. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  195.  
  196. mkdir suri
  197.  
  198. suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
  199.  
  200. cd suri/
  201.  
  202. cat stats.log | less
  203.  
  204. cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
  205.  
  206. cat xx01
  207.  
  208. cat xx02
  209.  
  210. cat xx03
  211.  
  212. cat xx04
  213.  
  214. cat xx05
  215.  
  216. cat xx06
  217. ------------------------------------------------------------------------
  218.  
  219.  
  220. #############################
  221. # PCAP Analysis with Yara #
  222. # Note: run as regular user #
  223. #############################
  224. ---------------------------Type This-----------------------------------
  225. cd ~/pcap_analysis/
  226.  
  227. git clone https://github.com/kevthehermit/YaraPcap.git
  228. cd YaraPcap/
  229. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  230. wget https://github.com/Yara-Rules/rules/archive/master.zip
  231. unzip master.zip
  232. cd rules-master/
  233. ls
  234. cat index.yar
  235. clear
  236. ./index_gen.sh
  237. cd ..
  238. mkdir matching_files/
  239. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
  240. whereis tcpflow
  241. vi yaraPcap.py **** fix line 35 with correct path to tcpflow ****:q!
  242. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
  243. cd matching_files/
  244. ls
  245. cat report.txt
  246. ------------------------------------------------------------------------
  247.  
  248.  
  249.  
  250. #######################################################################################################
  251. # Analyzing C&C with Bro IDS and RITA #
  252. # Run the following commands as root #
  253. # References: #
  254. # https://www.vultr.com/docs/installing-bro-ids-on-ubuntu-16-04 #
  255. # https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/ #
  256. #######################################################################################################
  257.  
  258. sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/bro.list"
  259. wget -nv http://download.opensuse.org/repositories/network:bro/xUbuntu_16.04/Release.key -O Release.key
  260. apt-key add - < Release.key
  261. apt-get update
  262. apt-get install -y cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev sendmail sendmail-bin
  263.  
  264.  
  265.  
  266. mkdir -p /root/Bro-IDS/
  267. cd /root/Bro-IDS/
  268. wget https://www.bro.org/downloads/bro-2.5.2.tar.gz
  269. tar -xvzf bro-2.5.2.tar.gz
  270. cd bro-2.5.2
  271. ./configure --prefix=/root/Bro-IDS
  272. make
  273. make install
  274. export PATH=/root/Bro-IDS/bin:$PATH
  275.  
  276.  
  277.  
  278. vi /root/Bro-IDS/etc/node.cfg
  279. /root/Bro-IDS/bin/broctl
  280. install
  281. exit
  282. /root/Bro-IDS/bin/broctl deploy
  283.  
  284.  
  285.  
  286.  
  287. mkdir b_analysis/
  288. cd b_analysis/
  289. bro -C -r suspicious-time.pcap local "Site::local_nets += { 10.0.0.0/8 }"
  290. ls -S dns.log
  291. cat conn.log | bro-cut uid id.orig_h id.resp_h duration | sort -nr -k4 | head -n 5
  292.  
  293.  
  294.  
  295.  
  296.  
  297.  
  298.  
  299.  
  300. git clone https://github.com/ocmdev/rita.git
  301.  
  302. cd rita/
  303.  
  304. chmod +x install.sh
  305.  
  306. ./install.sh
  307.  
  308. source ~/.bashrc
  309.  
  310. systemctl start mongod
  311.  
  312. rita import -i /root/btest/ -d suspicious-time
  313.  
  314. rita analyze
  315.  
  316. cd suspicious-time
  317.  
  318. python -m SimpleHTTPServer
Add Comment
Please, Sign In to add comment