Linux For Infosec Pros

##############################
# Linux For InfoSec Pros     #
# By Joe McCray              #
##############################

Here is the download link for the video of the morning session:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-9_233534_recording.mp4

Here is the download link for the video of the afternoon session:
https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-4_233632_recording.mp4


##########
# VMWare #
##########
- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.

- A 30-day trial of Workstation 11 can be downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0

- A 30-day trial of Fusion 7 can be downloaded from here:
- https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0

- The newest version of VMWare Player can be downloaded from here:
- https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0


- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.


##########################
# Download the attack VM #
##########################
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
user: strategicsec
pass: strategicsec

Here is a good set of slides for getting started with Linux:
http://www.slideshare.net/olafusimichael/linux-training-24086319


########################################
# Boot up the StrategicSec Ubuntu host #
# You can also boot up the Win7 as well#
########################################

- Log in to your Ubuntu host with the following credentials:
	user: strategicsec
	pass: strategicsec


- I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe


- For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host


########################
# Basic Linux Commands #
########################

pwd

whereis pwd

which pwd

sudo find / -name pwd

/bin/pwd

mkdir test

cd test

touch one two three

ls -l t		(without pressing the Enter key, press the Tab key twice. What happens?)

h		(and again without pressing the Enter key, press the Tab key twice. What happens?)

Press the 'Up arrow key'	(What happens?)

Press 'Ctrl-A'			(What happens?)

ls

clear				(What happens?)

echo one > one

cat one				(What happens?)

man cat				(What happens?)
	q

cat two

cat one > two

cat two

cat one two > three

cat three

echo four >> three

cat three 			(What happens?)

wc -l three

man wc
	q

cat three | grep four

cat three | grep one

man grep
	q


sudo grep eth[01] /etc/*	(What happens?)

cat /etc/iftab


man ps
	q

ps

ps aux

ps aux | less

Press the 'Up arrow key'	(What happens?)

Press the 'Down arrow key'	(What happens?)
	q

top


#########################################################################
# What kind of Linux am I on and how can I find out? 			#
# Great reference: 							#
# https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 	#
#########################################################################
What’s the distribution type? What version?
-------------------------------------------
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release      		# Debian based
cat /etc/redhat-release   		# Redhat based


What’s the kernel version? Is it 64-bit?
-------------------------------------------
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-


What can be learnt from the environmental variables?
----------------------------------------------------
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set


What services are running? Which service has which user privilege?
------------------------------------------------------------------
ps aux
ps -ef
top
cat /etc/services


Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
---------------------------------------------------------------------------------------------------------------
ps aux | grep root
ps -ef | grep root


What applications are installed? What version are they? Are they currently running?
------------------------------------------------------------------------------------
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
dpkg --get-selections | grep -v deinstall
rpm -qa
ls -alh /var/cache/apt/archives
ls -alh /var/cache/yum/


Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
------------------------------------------------------------------------------------
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/


What jobs are scheduled?
------------------------
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root


Any plain text usernames and/or passwords?
------------------------------------------
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   		# Search for Joomla passwords


What NIC(s) does the system have? Is it connected to another network?
---------------------------------------------------------------------
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network


What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
------------------------------------------------------------------------------------------------------------------------
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

What other users & hosts are communicating with the system?
-----------------------------------------------------------
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w


Whats cached? IP and/or MAC addresses
-------------------------------------
arp -e
route
/sbin/route -nee


Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
------------------------------------------------------------------------------------------
id
who
w
last
cat /etc/passwd | cut -d:    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l


What sensitive files can be found?
----------------------------------
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/


Anything “interesting” in the home directorie(s)? If it’s possible to access
----------------------------------------------------------------------------
ls -ahlR /root/
ls -ahlR /home/


Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
---------------------------------------------------------------------------------------------------------------------------
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg


What has the user being doing? Is there any password in plain text? What have they been edting?
-----------------------------------------------------------------------------------------------
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history


What user information can be found?
-----------------------------------
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root


Can private-key information be found?
-------------------------------------
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key


Any settings/files (hidden) on website? Any settings file with database information?
------------------------------------------------------------------------------------
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/


Is there anything in the log file(s) (Could help with “Local File Includes”!)
-----------------------------------------------------------------------------
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp


###########################
# Target IP Determination #
###########################
- This portion starts the actual workshop content
- Zone Transfer fails on most domains, but here is an example of one that works:
dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk


- Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
perl blindcrawl.pl -d motorola.com
	Look up the IP addresses at:
	http://www.networksolutions.com/whois/index.jsp


- Note: If you are on a different machine and need to download blindcrawl can you download it this way:
wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
chmod +x blindcrawl.pl


cd ~/toolz/fierce2
sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion
	strategicsec


- Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM:
svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/


cd ~/toolz/fierce2
wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
tar -zxvf Template-Toolkit-2.14.tar.gz
cd Template-Toolkit-2.14/
perl Makefile.PL
	y
	y
	n
	y
sudo make install
     strategicsec

cd ..

sudo bash install.sh
     strategicsec

./fierce

./fierce -dns motorola.com

cd ~/toolz/

- Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM:
wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
gcc -o ipcrawl ipcrawl.c
chmod +x ipcrawl


- Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
cd ~/toolz/
./ipcrawl 148.87.1.1 148.87.1.254				(DNS forward lookup against an IP range)


sudo nmap -sL 148.87.1.0-255
     strategicsec

sudo nmap -sL 148.87.1.0-255 | grep oracle
     strategicsec

- Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254
     strategicsec


###########################
# Load Balancer Detection #
###########################

- Here are some options to use for identifying load balancers:
	- http://toolbar.netcraft.com/site_report/
	- Firefox LiveHTTP Headers


- Here are some command-line options to use for identifying load balancers:

dig google.com

cd ~/toolz
./lbd-0.1.sh google.com


halberd microsoft.com
halberd motorola.com
halberd oracle.com


######################################
# Web Application Firewall Detection #
######################################

cd ~/toolz/wafw00f
python wafw00f.py http://www.oracle.com
python wafw00f.py http://www.strategicsec.com


cd ~/toolz/
sudo nmap -p 80 --script http-waf-detect.nse oracle.com
     strategicsec

sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
     strategicsec


#########################
# Playing with Nmap NSE #
#########################

nmap -Pn -p80 --script ip-geolocation-* strategicsec.com

nmap -p80 --script dns-brute strategicsec.com

nmap --script http-robtex-reverse-ip secore.info

nmap -Pn -p80 --script=http-headers strategicsec.com


ls /usr/share/nmap/scripts | grep http
nmap -Pn -p80 --script=http-* strategicsec.com

############
# Nmap NSE #
############

- Reference for this tutorial is:
https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/

----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse
     strategicsec


-- The Head Section --
-- The Rule Section --
portrule = function(host, port)
    return port.protocol == "tcp"
            and port.number == 80
            and port.state == "open"
end

-- The Action Section --
action = function(host, port)
    return "I love Linux!"
end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"

-- The Rule Section --
portrule = shortport.http


-- The Action Section --
action = function(host, port)
    return "I still love Linux!"
end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443


OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.

----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)
    return response.status

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        return response.body
    end

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
        return title
    end

end
----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


----------------------------------------------------------------------
sudo vi /usr/share/nmap/scripts/intro-nse.nse

-- The Head Section --
local shortport = require "shortport"
local http = require "http"
local string = require "string"

-- The Rule Section --
portrule = shortport.http

-- The Action Section --
action = function(host, port)

    local uri = "/installing-metasploit-in-ubunt/"
    local response = http.get(host, port, uri)

    if ( response.status == 200 ) then
        local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")

        if (title) then
            return "Vulnerable"
        else
            return "Not Vulnerable"
        end
    end
end

----------------------------------------------------------------------

- Ok, now that we've made that change let's run the script
sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443


####################
# Installing Scapy #
####################

sudo apt-get update
sudo apt-get install python-scapy python-pyx python-gnuplot


- Reference Page For All Of The Commands We Will Be Running:
http://samsclass.info/124/proj11/proj17-scapy.html


- To run Scapy interactively

	sudo scapy


#####################################
# Sending ICMPv4 Packets with scapy #
#####################################

- In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:

    i = IP()


- This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:

    i.display()


- Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:

    i.dst="192.168.54.184"

    i.display()


- Notice that scapy automatically fills in your machine's source IP address.

- Use these commands to create an object named ic of type ICMP and display its properties:


    ic = ICMP()

    ic.display()


- Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:

    sr1(i/ic)


- This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.


- The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.

- Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):


    sr1(i/ic/"YOUR NAME")


- You should see a reply with a Raw section containing your name.


###################################
# Sending a UDP Packet with Scapy #
###################################


- Preparing the Target
$ ncat -ulvp 4444


--open another terminal--
In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:

    u = UDP()

    u.display()


- This creates an object named u of type UDP, and displays its properties.

- Execute these commands to change the destination port to 4444 and display the properties again:

    i.dst="192.168.54.184"				<--- replace this with a host that you can run netcat on (ex: another VM or your host computer)

    u.dport = 4444

    u.display()


- Execute this command to send the packet to the Windows machine:

    send(i/u/"YOUR NAME SENT VIA UDP\n")


- On the Windows target, you should see the message appear


p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))


p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))


p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))


traceroute (["strategicsec.com"], maxttl=20)
	This is actually an ICMP & TCP traceroute, default destination is port 80


traceroute (["strategicsec.com"], dport=443, maxttl=20)


############################
# Ping Sweeping with Scapy #
############################

----------------------------------------------------------------------
vi scapy-pingsweep.py


#!/usr/bin/python
from scapy.all import *

TIMEOUT = 2
conf.verb = 0
for ip in range(0, 256):
    packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
    reply = sr1(packet, timeout=TIMEOUT)
    if not (reply is None):
         print reply.dst, "is online"
    else:
         print "Timeout waiting for %s" % packet[IP].dst
----------------------------------------------------------------------


###############################################
# Checking out some scapy based port scanners #
###############################################

wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py

cat rdp_scan.py

sudo python rdp_scan.py 192.168.1.250


Log in to your Ubuntu system with the username 'malware' and the password 'malware'.

After logging please open a terminal window and type the following commands:

cd Desktop/


This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
wget http://www.beenuarora.com/code/analyse_malware.py

unzip malware-password-is-infected.zip
        infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n 2 -C malware.exe

***What is '4d 5a' or 'MZ'***
Reference: http://www.garykessler.net/library/file_sigs.html


objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

                                                        - We didn't see anything like HKLM, HKCU or other registry type stuff

strings malware.exe | grep -i irc

strings malware.exe | grep -i join

strings malware.exe | grep -i admin

strings malware.exe | grep -i list


                                                        - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
sudo apt-get install -y python-pefile

vi analyse_malware.py

python analyse_malware.py malware.exe


Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2


Malware Repositories:
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/

###############################
# Creating a Malware Database #
###############################

Creating a malware database (sqlite)
------------------------------------
wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
unzip malware-password-is-infected.zip
        infected
python avsubmit.py --init
python avsubmit.py -f malware.exe -e


Creating a malware database (mysql)
-----------------------------------
Step 1: Installing MySQL database
Run the following command in the terminal:

sudo apt-get install mysql-server

Step 2: Installing Python MySQLdb module
Run the following command in the terminal:

sudo apt-get build-dep python-mysqldb
sudo apt-get install python-mysqldb

Step 3: Logging in
Run the following command in the terminal:

mysql -u root -p                                        (set a password of 'malware')

Then create one database by running following command:

create database malware;


wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py -i                      (fill in database connection information)

python mal_to_db.py -i

python mal_to_db.py -i -f malware.exe -u


mysql -u root -p
        malware

mysql> use malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;


##############################
# Lesson 32: Setting up Yara #
##############################


sudo apt-get install clamav clamav-freshclam

sudo freshclam

sudo Clamscan

sudo apt-get install libpcre3 libpcre3-dev

wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz

wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz

tar -zxvf v3.1.0.tar.gz

cd yara-3.1.0/

./bootstrap.sh

./configure

make

make check

sudo make install

cd yara-python/

python setup.py build

sudo python setup.py install

cd ..

yara -v

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py

sigtool -u /var/lib/clamav/main.cvd

python clamav_to_yara.py -f main.ndb -o clamav.yara

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip

unzip malware-password-is-infected.zip
        infected

mkdir malcode/

mv malware.exe malcode/

vi testrule.yara
----------------
rule IsPE
{
meta:
description = "Windows executable file"

condition:
// MZ signature at offset 0 and ...
uint16(0) == 0x5A4D and
// ... PE signature at offset stored in MZ header at 0x3C
uint32(uint32(0x3C)) == 0x00004550
}

rule has_no_DEP
{
meta:
description = "DEP is not enabled"

condition:
IsPE and
uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
}

rule has_no_ASLR
{
meta:
description = "ASLR is not enabled"

condition:
IsPE and
uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
}
----------------


yara testrule.yara malcode/malware.exe

mkdir rules/

cd rules/

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara

wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara

cd ..

yara rules/ malcode/malware.exe

wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip

unzip master.zip

cd YaraGenerator-master/

python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"

cat Test-Rule-2.yar

wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

yara Test-Rule-2.yar putty.exe


####################
# Additional Tasks #
####################

- PE Scanner:
https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
http://www.beenuarora.com/code/analyse_malware.py

- AV submission:
http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py

- Malware Database Creation:
https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py


cd /home/malware/Desktop/Browser\ Forensics

ls | grep pcap

perl chaosreader.pl suspicious-time.pcap

firefox index.html

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr

sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs


for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u


tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'


tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq


tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"


whois rapidshare.com.eyu32.ru

whois sploitme.com.cn


tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'


cd /home/malware/Desktop/Banking\ Troubles/Volatility

python volatility
python volatility pslist -f ../hn_forensics.vmem
python volatility connscan2 -f ../hn_forensics.vmem
python volatility memdmp -p 888 -f ../hn_forensics.vmem
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
                                ***Takes a few min***
strings 1752.dmp | grep "^http://" | sort | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
cd foremost-1.5.7/
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf


cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw 00600328.pdf
python pdf-parser.py --object 11 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js

cat malicious.js


*****Sorry - no time to cover javascript de-obfuscation today*****


cd /home/malware/Desktop/Banking\ Troubles/Volatility/
python volatility files -f ../hn_forensics.vmem > files
cat files | less
python volatility malfind -f ../hn_forensics.vmem -d out
ls out/
python volatility hivescan -f ../hn_forensics.vmem
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done