Advertisement
joemccray

Linux For Infosec Pros

Apr 18th, 2015
3,044
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 32.65 KB | None | 0 0
  1. ##############################
  2. # Linux For InfoSec Pros #
  3. # By Joe McCray #
  4. ##############################
  5.  
  6. Here is the download link for the video of the morning session:
  7. https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-9_233534_recording.mp4
  8.  
  9. Here is the download link for the video of the afternoon session:
  10. https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-4_233632_recording.mp4
  11.  
  12.  
  13.  
  14. ##########
  15. # VMWare #
  16. ##########
  17. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  18.  
  19. - A 30-day trial of Workstation 11 can be downloaded from here:
  20. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
  21.  
  22. - A 30-day trial of Fusion 7 can be downloaded from here:
  23. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
  24.  
  25. - The newest version of VMWare Player can be downloaded from here:
  26. - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
  27.  
  28.  
  29. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  30.  
  31.  
  32. ##########################
  33. # Download the attack VM #
  34. ##########################
  35. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  36. user: strategicsec
  37. pass: strategicsec
  38.  
  39. Here is a good set of slides for getting started with Linux:
  40. http://www.slideshare.net/olafusimichael/linux-training-24086319
  41.  
  42.  
  43.  
  44. ########################################
  45. # Boot up the StrategicSec Ubuntu host #
  46. # You can also boot up the Win7 as well#
  47. ########################################
  48.  
  49. - Log in to your Ubuntu host with the following credentials:
  50. user: strategicsec
  51. pass: strategicsec
  52.  
  53.  
  54.  
  55. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  56. - You can download Putty from here:
  57. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  58.  
  59.  
  60. - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
  61.  
  62.  
  63.  
  64. ########################
  65. # Basic Linux Commands #
  66. ########################
  67.  
  68. pwd
  69.  
  70. whereis pwd
  71.  
  72. which pwd
  73.  
  74. sudo find / -name pwd
  75.  
  76. /bin/pwd
  77.  
  78. mkdir test
  79.  
  80. cd test
  81.  
  82. touch one two three
  83.  
  84. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  85.  
  86. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  87.  
  88. Press the 'Up arrow key' (What happens?)
  89.  
  90. Press 'Ctrl-A' (What happens?)
  91.  
  92. ls
  93.  
  94. clear (What happens?)
  95.  
  96. echo one > one
  97.  
  98. cat one (What happens?)
  99.  
  100. man cat (What happens?)
  101. q
  102.  
  103. cat two
  104.  
  105. cat one > two
  106.  
  107. cat two
  108.  
  109. cat one two > three
  110.  
  111. cat three
  112.  
  113. echo four >> three
  114.  
  115. cat three (What happens?)
  116.  
  117. wc -l three
  118.  
  119. man wc
  120. q
  121.  
  122. cat three | grep four
  123.  
  124. cat three | grep one
  125.  
  126. man grep
  127. q
  128.  
  129.  
  130. sudo grep eth[01] /etc/* (What happens?)
  131.  
  132. cat /etc/iftab
  133.  
  134.  
  135. man ps
  136. q
  137.  
  138. ps
  139.  
  140. ps aux
  141.  
  142. ps aux | less
  143.  
  144. Press the 'Up arrow key' (What happens?)
  145.  
  146. Press the 'Down arrow key' (What happens?)
  147. q
  148.  
  149. top
  150.  
  151.  
  152. #########################################################################
  153. # What kind of Linux am I on and how can I find out? #
  154. # Great reference: #
  155. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  156. #########################################################################
  157. What’s the distribution type? What version?
  158. -------------------------------------------
  159. cat /etc/issue
  160. cat /etc/*-release
  161. cat /etc/lsb-release # Debian based
  162. cat /etc/redhat-release # Redhat based
  163.  
  164.  
  165.  
  166. What’s the kernel version? Is it 64-bit?
  167. -------------------------------------------
  168. cat /proc/version
  169. uname -a
  170. uname -mrs
  171. rpm -q kernel
  172. dmesg | grep Linux
  173. ls /boot | grep vmlinuz-
  174.  
  175.  
  176.  
  177. What can be learnt from the environmental variables?
  178. ----------------------------------------------------
  179. cat /etc/profile
  180. cat /etc/bashrc
  181. cat ~/.bash_profile
  182. cat ~/.bashrc
  183. cat ~/.bash_logout
  184. env
  185. set
  186.  
  187.  
  188. What services are running? Which service has which user privilege?
  189. ------------------------------------------------------------------
  190. ps aux
  191. ps -ef
  192. top
  193. cat /etc/services
  194.  
  195.  
  196. Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  197. ---------------------------------------------------------------------------------------------------------------
  198. ps aux | grep root
  199. ps -ef | grep root
  200.  
  201.  
  202.  
  203. What applications are installed? What version are they? Are they currently running?
  204. ------------------------------------------------------------------------------------
  205. ls -alh /usr/bin/
  206. ls -alh /sbin/
  207. dpkg -l
  208. dpkg --get-selections | grep -v deinstall
  209. rpm -qa
  210. ls -alh /var/cache/apt/archives
  211. ls -alh /var/cache/yum/
  212.  
  213.  
  214. Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  215. ------------------------------------------------------------------------------------
  216. cat /etc/syslog.conf
  217. cat /etc/chttp.conf
  218. cat /etc/lighttpd.conf
  219. cat /etc/cups/cupsd.conf
  220. cat /etc/inetd.conf
  221. cat /etc/apache2/apache2.conf
  222. cat /etc/my.conf
  223. cat /etc/httpd/conf/httpd.conf
  224. cat /opt/lampp/etc/httpd.conf
  225. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
  226.  
  227.  
  228.  
  229. What jobs are scheduled?
  230. ------------------------
  231. crontab -l
  232. ls -alh /var/spool/cron
  233. ls -al /etc/ | grep cron
  234. ls -al /etc/cron*
  235. cat /etc/cron*
  236. cat /etc/at.allow
  237. cat /etc/at.deny
  238. cat /etc/cron.allow
  239. cat /etc/cron.deny
  240. cat /etc/crontab
  241. cat /etc/anacrontab
  242. cat /var/spool/cron/crontabs/root
  243.  
  244.  
  245. Any plain text usernames and/or passwords?
  246. ------------------------------------------
  247. grep -i user [filename]
  248. grep -i pass [filename]
  249. grep -C 5 "password" [filename]
  250. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  251.  
  252.  
  253. What NIC(s) does the system have? Is it connected to another network?
  254. ---------------------------------------------------------------------
  255. /sbin/ifconfig -a
  256. cat /etc/network/interfaces
  257. cat /etc/sysconfig/network
  258.  
  259.  
  260. What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  261. ------------------------------------------------------------------------------------------------------------------------
  262. cat /etc/resolv.conf
  263. cat /etc/sysconfig/network
  264. cat /etc/networks
  265. iptables -L
  266. hostname
  267. dnsdomainname
  268.  
  269. What other users & hosts are communicating with the system?
  270. -----------------------------------------------------------
  271. lsof -i
  272. lsof -i :80
  273. grep 80 /etc/services
  274. netstat -antup
  275. netstat -antpx
  276. netstat -tulpn
  277. chkconfig --list
  278. chkconfig --list | grep 3:on
  279. last
  280. w
  281.  
  282.  
  283.  
  284. Whats cached? IP and/or MAC addresses
  285. -------------------------------------
  286. arp -e
  287. route
  288. /sbin/route -nee
  289.  
  290.  
  291. Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  292. ------------------------------------------------------------------------------------------
  293. id
  294. who
  295. w
  296. last
  297. cat /etc/passwd | cut -d: # List of users
  298. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  299. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  300. cat /etc/sudoers
  301. sudo -l
  302.  
  303.  
  304.  
  305. What sensitive files can be found?
  306. ----------------------------------
  307. cat /etc/passwd
  308. cat /etc/group
  309. cat /etc/shadow
  310. ls -alh /var/mail/
  311.  
  312.  
  313.  
  314. Anything “interesting” in the home directorie(s)? If it’s possible to access
  315. ----------------------------------------------------------------------------
  316. ls -ahlR /root/
  317. ls -ahlR /home/
  318.  
  319.  
  320. Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  321. ---------------------------------------------------------------------------------------------------------------------------
  322. cat /var/apache2/config.inc
  323. cat /var/lib/mysql/mysql/user.MYD
  324. cat /root/anaconda-ks.cfg
  325.  
  326.  
  327. What has the user being doing? Is there any password in plain text? What have they been edting?
  328. -----------------------------------------------------------------------------------------------
  329. cat ~/.bash_history
  330. cat ~/.nano_history
  331. cat ~/.atftp_history
  332. cat ~/.mysql_history
  333. cat ~/.php_history
  334.  
  335.  
  336.  
  337. What user information can be found?
  338. -----------------------------------
  339. cat ~/.bashrc
  340. cat ~/.profile
  341. cat /var/mail/root
  342. cat /var/spool/mail/root
  343.  
  344.  
  345. Can private-key information be found?
  346. -------------------------------------
  347. cat ~/.ssh/authorized_keys
  348. cat ~/.ssh/identity.pub
  349. cat ~/.ssh/identity
  350. cat ~/.ssh/id_rsa.pub
  351. cat ~/.ssh/id_rsa
  352. cat ~/.ssh/id_dsa.pub
  353. cat ~/.ssh/id_dsa
  354. cat /etc/ssh/ssh_config
  355. cat /etc/ssh/sshd_config
  356. cat /etc/ssh/ssh_host_dsa_key.pub
  357. cat /etc/ssh/ssh_host_dsa_key
  358. cat /etc/ssh/ssh_host_rsa_key.pub
  359. cat /etc/ssh/ssh_host_rsa_key
  360. cat /etc/ssh/ssh_host_key.pub
  361. cat /etc/ssh/ssh_host_key
  362.  
  363.  
  364. Any settings/files (hidden) on website? Any settings file with database information?
  365. ------------------------------------------------------------------------------------
  366. ls -alhR /var/www/
  367. ls -alhR /srv/www/htdocs/
  368. ls -alhR /usr/local/www/apache22/data/
  369. ls -alhR /opt/lampp/htdocs/
  370. ls -alhR /var/www/html/
  371.  
  372.  
  373. Is there anything in the log file(s) (Could help with “Local File Includes”!)
  374. -----------------------------------------------------------------------------
  375. cat /etc/httpd/logs/access_log
  376. cat /etc/httpd/logs/access.log
  377. cat /etc/httpd/logs/error_log
  378. cat /etc/httpd/logs/error.log
  379. cat /var/log/apache2/access_log
  380. cat /var/log/apache2/access.log
  381. cat /var/log/apache2/error_log
  382. cat /var/log/apache2/error.log
  383. cat /var/log/apache/access_log
  384. cat /var/log/apache/access.log
  385. cat /var/log/auth.log
  386. cat /var/log/chttp.log
  387. cat /var/log/cups/error_log
  388. cat /var/log/dpkg.log
  389. cat /var/log/faillog
  390. cat /var/log/httpd/access_log
  391. cat /var/log/httpd/access.log
  392. cat /var/log/httpd/error_log
  393. cat /var/log/httpd/error.log
  394. cat /var/log/lastlog
  395. cat /var/log/lighttpd/access.log
  396. cat /var/log/lighttpd/error.log
  397. cat /var/log/lighttpd/lighttpd.access.log
  398. cat /var/log/lighttpd/lighttpd.error.log
  399. cat /var/log/messages
  400. cat /var/log/secure
  401. cat /var/log/syslog
  402. cat /var/log/wtmp
  403. cat /var/log/xferlog
  404. cat /var/log/yum.log
  405. cat /var/run/utmp
  406. cat /var/webmin/miniserv.log
  407. cat /var/www/logs/access_log
  408. cat /var/www/logs/access.log
  409. ls -alh /var/lib/dhcp3/
  410. ls -alh /var/log/postgresql/
  411. ls -alh /var/log/proftpd/
  412. ls -alh /var/log/samba/
  413.  
  414. Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  415.  
  416.  
  417. ###########################
  418. # Target IP Determination #
  419. ###########################
  420. - This portion starts the actual workshop content
  421. - Zone Transfer fails on most domains, but here is an example of one that works:
  422. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  423.  
  424.  
  425. - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
  426. perl blindcrawl.pl -d motorola.com
  427. Look up the IP addresses at:
  428. http://www.networksolutions.com/whois/index.jsp
  429.  
  430.  
  431. - Note: If you are on a different machine and need to download blindcrawl can you download it this way:
  432. wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  433. chmod +x blindcrawl.pl
  434.  
  435.  
  436.  
  437. cd ~/toolz/fierce2
  438. sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion
  439. strategicsec
  440.  
  441.  
  442. - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM:
  443. svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
  444.  
  445.  
  446. cd ~/toolz/fierce2
  447. wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
  448. tar -zxvf Template-Toolkit-2.14.tar.gz
  449. cd Template-Toolkit-2.14/
  450. perl Makefile.PL
  451. y
  452. y
  453. n
  454. y
  455. sudo make install
  456. strategicsec
  457.  
  458. cd ..
  459.  
  460. sudo bash install.sh
  461. strategicsec
  462.  
  463. ./fierce
  464.  
  465. ./fierce -dns motorola.com
  466.  
  467. cd ~/toolz/
  468.  
  469. - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM:
  470. wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  471. gcc -o ipcrawl ipcrawl.c
  472. chmod +x ipcrawl
  473.  
  474.  
  475.  
  476. - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
  477. cd ~/toolz/
  478. ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
  479.  
  480.  
  481. sudo nmap -sL 148.87.1.0-255
  482. strategicsec
  483.  
  484. sudo nmap -sL 148.87.1.0-255 | grep oracle
  485. strategicsec
  486.  
  487. - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
  488. sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254
  489. strategicsec
  490.  
  491.  
  492.  
  493.  
  494. ###########################
  495. # Load Balancer Detection #
  496. ###########################
  497.  
  498. - Here are some options to use for identifying load balancers:
  499. - http://toolbar.netcraft.com/site_report/
  500. - Firefox LiveHTTP Headers
  501.  
  502.  
  503. - Here are some command-line options to use for identifying load balancers:
  504.  
  505. dig google.com
  506.  
  507. cd ~/toolz
  508. ./lbd-0.1.sh google.com
  509.  
  510.  
  511. halberd microsoft.com
  512. halberd motorola.com
  513. halberd oracle.com
  514.  
  515.  
  516.  
  517.  
  518.  
  519. ######################################
  520. # Web Application Firewall Detection #
  521. ######################################
  522.  
  523. cd ~/toolz/wafw00f
  524. python wafw00f.py http://www.oracle.com
  525. python wafw00f.py http://www.strategicsec.com
  526.  
  527.  
  528. cd ~/toolz/
  529. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  530. strategicsec
  531.  
  532. sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
  533. strategicsec
  534.  
  535.  
  536. #########################
  537. # Playing with Nmap NSE #
  538. #########################
  539.  
  540. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  541.  
  542. nmap -p80 --script dns-brute strategicsec.com
  543.  
  544. nmap --script http-robtex-reverse-ip secore.info
  545.  
  546. nmap -Pn -p80 --script=http-headers strategicsec.com
  547.  
  548.  
  549. ls /usr/share/nmap/scripts | grep http
  550. nmap -Pn -p80 --script=http-* strategicsec.com
  551.  
  552. ############
  553. # Nmap NSE #
  554. ############
  555.  
  556. - Reference for this tutorial is:
  557. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
  558.  
  559. ----------------------------------------------------------------------
  560. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  561. strategicsec
  562.  
  563.  
  564.  
  565. -- The Head Section --
  566. -- The Rule Section --
  567. portrule = function(host, port)
  568. return port.protocol == "tcp"
  569. and port.number == 80
  570. and port.state == "open"
  571. end
  572.  
  573. -- The Action Section --
  574. action = function(host, port)
  575. return "I love Linux!"
  576. end
  577. ----------------------------------------------------------------------
  578.  
  579. - Ok, now that we've made that change let's run the script
  580. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  581.  
  582.  
  583.  
  584.  
  585.  
  586.  
  587. ----------------------------------------------------------------------
  588. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  589.  
  590. -- The Head Section --
  591. local shortport = require "shortport"
  592.  
  593. -- The Rule Section --
  594. portrule = shortport.http
  595.  
  596.  
  597. -- The Action Section --
  598. action = function(host, port)
  599. return "I still love Linux!"
  600. end
  601. ----------------------------------------------------------------------
  602.  
  603. - Ok, now that we've made that change let's run the script
  604. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  605.  
  606.  
  607.  
  608.  
  609.  
  610.  
  611.  
  612. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.
  613.  
  614. ----------------------------------------------------------------------
  615. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  616.  
  617. -- The Head Section --
  618. local shortport = require "shortport"
  619. local http = require "http"
  620.  
  621. -- The Rule Section --
  622. portrule = shortport.http
  623.  
  624. -- The Action Section --
  625. action = function(host, port)
  626.  
  627. local uri = "/installing-metasploit-in-ubunt/"
  628. local response = http.get(host, port, uri)
  629. return response.status
  630.  
  631. end
  632. ----------------------------------------------------------------------
  633.  
  634. - Ok, now that we've made that change let's run the script
  635. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  636.  
  637.  
  638.  
  639.  
  640. ----------------------------------------------------------------------
  641. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  642.  
  643. -- The Head Section --
  644. local shortport = require "shortport"
  645. local http = require "http"
  646.  
  647. -- The Rule Section --
  648. portrule = shortport.http
  649.  
  650. -- The Action Section --
  651. action = function(host, port)
  652.  
  653. local uri = "/installing-metasploit-in-ubunt/"
  654. local response = http.get(host, port, uri)
  655.  
  656. if ( response.status == 200 ) then
  657. return response.body
  658. end
  659.  
  660. end
  661. ----------------------------------------------------------------------
  662.  
  663. - Ok, now that we've made that change let's run the script
  664. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  665.  
  666.  
  667.  
  668.  
  669.  
  670.  
  671.  
  672.  
  673.  
  674. ----------------------------------------------------------------------
  675. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  676.  
  677. -- The Head Section --
  678. local shortport = require "shortport"
  679. local http = require "http"
  680. local string = require "string"
  681.  
  682. -- The Rule Section --
  683. portrule = shortport.http
  684.  
  685. -- The Action Section --
  686. action = function(host, port)
  687.  
  688. local uri = "/installing-metasploit-in-ubunt/"
  689. local response = http.get(host, port, uri)
  690.  
  691. if ( response.status == 200 ) then
  692. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  693. return title
  694. end
  695.  
  696. end
  697. ----------------------------------------------------------------------
  698.  
  699. - Ok, now that we've made that change let's run the script
  700. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  701.  
  702.  
  703.  
  704.  
  705.  
  706.  
  707.  
  708. ----------------------------------------------------------------------
  709. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  710.  
  711. -- The Head Section --
  712. local shortport = require "shortport"
  713. local http = require "http"
  714. local string = require "string"
  715.  
  716. -- The Rule Section --
  717. portrule = shortport.http
  718.  
  719. -- The Action Section --
  720. action = function(host, port)
  721.  
  722. local uri = "/installing-metasploit-in-ubunt/"
  723. local response = http.get(host, port, uri)
  724.  
  725. if ( response.status == 200 ) then
  726. local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  727.  
  728. if (title) then
  729. return "Vulnerable"
  730. else
  731. return "Not Vulnerable"
  732. end
  733. end
  734. end
  735.  
  736. ----------------------------------------------------------------------
  737.  
  738. - Ok, now that we've made that change let's run the script
  739. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  740.  
  741.  
  742.  
  743. ####################
  744. # Installing Scapy #
  745. ####################
  746.  
  747. sudo apt-get update
  748. sudo apt-get install python-scapy python-pyx python-gnuplot
  749.  
  750.  
  751. - Reference Page For All Of The Commands We Will Be Running:
  752. http://samsclass.info/124/proj11/proj17-scapy.html
  753.  
  754.  
  755.  
  756.  
  757.  
  758. - To run Scapy interactively
  759.  
  760. sudo scapy
  761.  
  762.  
  763.  
  764. #####################################
  765. # Sending ICMPv4 Packets with scapy #
  766. #####################################
  767.  
  768. - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  769.  
  770. i = IP()
  771.  
  772.  
  773.  
  774.  
  775. - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  776.  
  777. i.display()
  778.  
  779.  
  780.  
  781.  
  782. - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  783.  
  784. i.dst="192.168.54.184"
  785.  
  786. i.display()
  787.  
  788.  
  789.  
  790.  
  791. - Notice that scapy automatically fills in your machine's source IP address.
  792.  
  793. - Use these commands to create an object named ic of type ICMP and display its properties:
  794.  
  795.  
  796. ic = ICMP()
  797.  
  798. ic.display()
  799.  
  800.  
  801.  
  802.  
  803.  
  804. - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  805.  
  806. sr1(i/ic)
  807.  
  808.  
  809.  
  810.  
  811.  
  812. - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.
  813.  
  814.  
  815. - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  816.  
  817. - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  818.  
  819.  
  820. sr1(i/ic/"YOUR NAME")
  821.  
  822.  
  823. - You should see a reply with a Raw section containing your name.
  824.  
  825.  
  826.  
  827. ###################################
  828. # Sending a UDP Packet with Scapy #
  829. ###################################
  830.  
  831.  
  832. - Preparing the Target
  833. $ ncat -ulvp 4444
  834.  
  835.  
  836.  
  837.  
  838. --open another terminal--
  839. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  840.  
  841. u = UDP()
  842.  
  843. u.display()
  844.  
  845.  
  846.  
  847. - This creates an object named u of type UDP, and displays its properties.
  848.  
  849. - Execute these commands to change the destination port to 4444 and display the properties again:
  850.  
  851. i.dst="192.168.54.184" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  852.  
  853. u.dport = 4444
  854.  
  855. u.display()
  856.  
  857.  
  858.  
  859. - Execute this command to send the packet to the Windows machine:
  860.  
  861. send(i/u/"YOUR NAME SENT VIA UDP\n")
  862.  
  863.  
  864.  
  865. - On the Windows target, you should see the message appear
  866.  
  867.  
  868. p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))
  869.  
  870.  
  871. p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))
  872.  
  873.  
  874. p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))
  875.  
  876.  
  877. traceroute (["strategicsec.com"], maxttl=20)
  878. This is actually an ICMP & TCP traceroute, default destination is port 80
  879.  
  880.  
  881. traceroute (["strategicsec.com"], dport=443, maxttl=20)
  882.  
  883.  
  884.  
  885. ############################
  886. # Ping Sweeping with Scapy #
  887. ############################
  888.  
  889. ----------------------------------------------------------------------
  890. vi scapy-pingsweep.py
  891.  
  892.  
  893. #!/usr/bin/python
  894. from scapy.all import *
  895.  
  896. TIMEOUT = 2
  897. conf.verb = 0
  898. for ip in range(0, 256):
  899. packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
  900. reply = sr1(packet, timeout=TIMEOUT)
  901. if not (reply is None):
  902. print reply.dst, "is online"
  903. else:
  904. print "Timeout waiting for %s" % packet[IP].dst
  905. ----------------------------------------------------------------------
  906.  
  907.  
  908. ###############################################
  909. # Checking out some scapy based port scanners #
  910. ###############################################
  911.  
  912. wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
  913.  
  914. cat rdp_scan.py
  915.  
  916. sudo python rdp_scan.py 192.168.1.250
  917.  
  918.  
  919.  
  920. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  921.  
  922. After logging please open a terminal window and type the following commands:
  923.  
  924. cd Desktop/
  925.  
  926.  
  927. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  928.  
  929. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  930. wget http://www.beenuarora.com/code/analyse_malware.py
  931.  
  932. unzip malware-password-is-infected.zip
  933. infected
  934.  
  935. file malware.exe
  936.  
  937. mv malware.exe malware.pdf
  938.  
  939. file malware.pdf
  940.  
  941. mv malware.pdf malware.exe
  942.  
  943. hexdump -n 2 -C malware.exe
  944.  
  945. ***What is '4d 5a' or 'MZ'***
  946. Reference: http://www.garykessler.net/library/file_sigs.html
  947.  
  948.  
  949. objdump -x malware.exe
  950.  
  951. strings malware.exe
  952.  
  953. strings --all malware.exe | head -n 6
  954.  
  955. strings malware.exe | grep -i dll
  956.  
  957. strings malware.exe | grep -i library
  958.  
  959. strings malware.exe | grep -i reg
  960.  
  961. strings malware.exe | grep -i hkey
  962.  
  963. strings malware.exe | grep -i hku
  964.  
  965. - We didn't see anything like HKLM, HKCU or other registry type stuff
  966.  
  967. strings malware.exe | grep -i irc
  968.  
  969. strings malware.exe | grep -i join
  970.  
  971. strings malware.exe | grep -i admin
  972.  
  973. strings malware.exe | grep -i list
  974.  
  975.  
  976. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  977. sudo apt-get install -y python-pefile
  978.  
  979. vi analyse_malware.py
  980.  
  981. python analyse_malware.py malware.exe
  982.  
  983.  
  984. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  985. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  986.  
  987.  
  988. Malware Repositories:
  989. http://malshare.com/index.php
  990. http://www.malwareblacklist.com/
  991. http://www.virusign.com/
  992. http://virusshare.com/
  993. http://www.tekdefense.com/downloads/malware-samples/
  994.  
  995. ###############################
  996. # Creating a Malware Database #
  997. ###############################
  998.  
  999. Creating a malware database (sqlite)
  1000. ------------------------------------
  1001. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1002. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1003. unzip malware-password-is-infected.zip
  1004. infected
  1005. python avsubmit.py --init
  1006. python avsubmit.py -f malware.exe -e
  1007.  
  1008.  
  1009.  
  1010.  
  1011.  
  1012. Creating a malware database (mysql)
  1013. -----------------------------------
  1014. Step 1: Installing MySQL database
  1015. Run the following command in the terminal:
  1016.  
  1017. sudo apt-get install mysql-server
  1018.  
  1019. Step 2: Installing Python MySQLdb module
  1020. Run the following command in the terminal:
  1021.  
  1022. sudo apt-get build-dep python-mysqldb
  1023. sudo apt-get install python-mysqldb
  1024.  
  1025. Step 3: Logging in
  1026. Run the following command in the terminal:
  1027.  
  1028. mysql -u root -p (set a password of 'malware')
  1029.  
  1030. Then create one database by running following command:
  1031.  
  1032. create database malware;
  1033.  
  1034.  
  1035.  
  1036. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1037.  
  1038. vi mal_to_db.py -i (fill in database connection information)
  1039.  
  1040. python mal_to_db.py -i
  1041.  
  1042. python mal_to_db.py -i -f malware.exe -u
  1043.  
  1044.  
  1045. mysql -u root -p
  1046. malware
  1047.  
  1048. mysql> use malware;
  1049.  
  1050. select id,md5,sha1,sha256,time FROM files;
  1051.  
  1052. mysql> quit;
  1053.  
  1054.  
  1055.  
  1056.  
  1057.  
  1058. ##############################
  1059. # Lesson 32: Setting up Yara #
  1060. ##############################
  1061.  
  1062.  
  1063. sudo apt-get install clamav clamav-freshclam
  1064.  
  1065. sudo freshclam
  1066.  
  1067. sudo Clamscan
  1068.  
  1069. sudo apt-get install libpcre3 libpcre3-dev
  1070.  
  1071. wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
  1072.  
  1073. wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
  1074.  
  1075. tar -zxvf v3.1.0.tar.gz
  1076.  
  1077. cd yara-3.1.0/
  1078.  
  1079. ./bootstrap.sh
  1080.  
  1081. ./configure
  1082.  
  1083. make
  1084.  
  1085. make check
  1086.  
  1087. sudo make install
  1088.  
  1089. cd yara-python/
  1090.  
  1091. python setup.py build
  1092.  
  1093. sudo python setup.py install
  1094.  
  1095. cd ..
  1096.  
  1097. yara -v
  1098.  
  1099. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  1100.  
  1101. sigtool -u /var/lib/clamav/main.cvd
  1102.  
  1103. python clamav_to_yara.py -f main.ndb -o clamav.yara
  1104.  
  1105. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1106.  
  1107. unzip malware-password-is-infected.zip
  1108. infected
  1109.  
  1110. mkdir malcode/
  1111.  
  1112. mv malware.exe malcode/
  1113.  
  1114. vi testrule.yara
  1115. ----------------
  1116. rule IsPE
  1117. {
  1118. meta:
  1119. description = "Windows executable file"
  1120.  
  1121. condition:
  1122. // MZ signature at offset 0 and ...
  1123. uint16(0) == 0x5A4D and
  1124. // ... PE signature at offset stored in MZ header at 0x3C
  1125. uint32(uint32(0x3C)) == 0x00004550
  1126. }
  1127.  
  1128. rule has_no_DEP
  1129. {
  1130. meta:
  1131. description = "DEP is not enabled"
  1132.  
  1133. condition:
  1134. IsPE and
  1135. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  1136. }
  1137.  
  1138. rule has_no_ASLR
  1139. {
  1140. meta:
  1141. description = "ASLR is not enabled"
  1142.  
  1143. condition:
  1144. IsPE and
  1145. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  1146. }
  1147. ----------------
  1148.  
  1149.  
  1150. yara testrule.yara malcode/malware.exe
  1151.  
  1152. mkdir rules/
  1153.  
  1154. cd rules/
  1155.  
  1156. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  1157.  
  1158. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  1159.  
  1160. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  1161.  
  1162. cd ..
  1163.  
  1164. yara rules/ malcode/malware.exe
  1165.  
  1166. wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
  1167.  
  1168. unzip master.zip
  1169.  
  1170. cd YaraGenerator-master/
  1171.  
  1172. python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
  1173.  
  1174. cat Test-Rule-2.yar
  1175.  
  1176. wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  1177.  
  1178. yara Test-Rule-2.yar putty.exe
  1179.  
  1180.  
  1181.  
  1182.  
  1183. ####################
  1184. # Additional Tasks #
  1185. ####################
  1186.  
  1187. - PE Scanner:
  1188. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  1189. http://www.beenuarora.com/code/analyse_malware.py
  1190.  
  1191. - AV submission:
  1192. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1193. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  1194.  
  1195. - Malware Database Creation:
  1196. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1197.  
  1198.  
  1199.  
  1200.  
  1201. cd /home/malware/Desktop/Browser\ Forensics
  1202.  
  1203. ls | grep pcap
  1204.  
  1205. perl chaosreader.pl suspicious-time.pcap
  1206.  
  1207. firefox index.html
  1208.  
  1209. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1210.  
  1211. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1212.  
  1213. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  1214.  
  1215.  
  1216.  
  1217.  
  1218. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1219.  
  1220.  
  1221. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1222.  
  1223.  
  1224. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1225.  
  1226.  
  1227. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1228.  
  1229.  
  1230. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  1231.  
  1232.  
  1233. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1234.  
  1235. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1236.  
  1237. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1238.  
  1239. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1240.  
  1241. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1242.  
  1243.  
  1244. whois rapidshare.com.eyu32.ru
  1245.  
  1246. whois sploitme.com.cn
  1247.  
  1248.  
  1249.  
  1250.  
  1251.  
  1252. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1253.  
  1254. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1255.  
  1256. tshark -r suspicious-time.pcap -qz http_req,tree
  1257.  
  1258. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1259.  
  1260. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1261.  
  1262.  
  1263.  
  1264.  
  1265.  
  1266. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  1267.  
  1268. python volatility
  1269. python volatility pslist -f ../hn_forensics.vmem
  1270. python volatility connscan2 -f ../hn_forensics.vmem
  1271. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  1272. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  1273. ***Takes a few min***
  1274. strings 1752.dmp | grep "^http://" | sort | uniq
  1275. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1276. cd ..
  1277. cd foremost-1.5.7/
  1278. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  1279. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  1280. cat audit.txt
  1281. cd pdf
  1282. ls
  1283. grep -i javascript *.pdf
  1284.  
  1285.  
  1286.  
  1287. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  1288. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1289. unzip pdf-parser_V0_6_4.zip
  1290. python pdf-parser.py -s javascript --raw 00600328.pdf
  1291. python pdf-parser.py --object 11 00600328.pdf
  1292. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  1293.  
  1294. cat malicious.js
  1295.  
  1296.  
  1297. *****Sorry - no time to cover javascript de-obfuscation today*****
  1298.  
  1299.  
  1300. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  1301. python volatility files -f ../hn_forensics.vmem > files
  1302. cat files | less
  1303. python volatility malfind -f ../hn_forensics.vmem -d out
  1304. ls out/
  1305. python volatility hivescan -f ../hn_forensics.vmem
  1306. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1307. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement