joemccray

New Linux For InfoSec

Jun 29th, 2016
2,218
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 30.14 KB | None | 0 0
  1. ##############################
  2. # Linux For InfoSec Pros #
  3. # By Joe McCray #
  4. ##############################
  5.  
  6.  
  7.  
  8. ##########
  9. # VMWare #
  10. ##########
  11. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  12.  
  13. - http://www.vmware.com/ap/products/player.html
  14.  
  15.  
  16. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  17.  
  18.  
  19. ##########################
  20. # Download the attack VM #
  21. ##########################
  22. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  23. user: strategicsec
  24. pass: strategicsec
  25.  
  26. - Here is a good set of slides for getting started with Linux:
  27. http://www.slideshare.net/olafusimichael/linux-training-24086319
  28.  
  29.  
  30.  
  31.  
  32. - Log in to your Ubuntu host with the following credentials:
  33. user: strategicsec
  34. pass: strategicsec
  35.  
  36.  
  37.  
  38. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  39. - You can download Putty from here:
  40. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  41.  
  42.  
  43. - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
  44.  
  45.  
  46.  
  47. ########################
  48. # Basic Linux Commands #
  49. ########################
  50.  
  51. pwd
  52.  
  53. whereis pwd
  54.  
  55. which pwd
  56.  
  57. sudo find / -name pwd
  58.  
  59. /bin/pwd
  60.  
  61. mkdir test
  62.  
  63. cd test
  64.  
  65. touch one two three
  66.  
  67. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  68.  
  69. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  70.  
  71. Press the 'Up arrow key' (What happens?)
  72.  
  73. Press 'Ctrl-A' (What happens?)
  74.  
  75. ls
  76.  
  77. clear (What happens?)
  78.  
  79. echo one > one
  80.  
  81. cat one (What happens?)
  82.  
  83. man cat (What happens?)
  84. q
  85.  
  86. cat two
  87.  
  88. cat one > two
  89.  
  90. cat two
  91.  
  92. cat one two > three
  93.  
  94. cat three
  95.  
  96. echo four >> three
  97.  
  98. cat three (What happens?)
  99.  
  100. wc -l three
  101.  
  102. man wc
  103. q
  104.  
  105. cat three | grep four
  106.  
  107. cat three | grep one
  108.  
  109. man grep
  110. q
  111.  
  112.  
  113. sudo grep eth[01] /etc/* (What happens?)
  114.  
  115. cat /etc/iftab
  116.  
  117.  
  118. man ps
  119. q
  120.  
  121. ps
  122.  
  123. ps aux
  124.  
  125. ps aux | less
  126.  
  127. Press the 'Up arrow key' (What happens?)
  128.  
  129. Press the 'Down arrow key' (What happens?)
  130. q
  131.  
  132. top
  133.  
  134. ############
  135. # VIM Demo #
  136. ############
  137. http://www.thegeekstuff.com/2009/03/8-essential-vim-editor-navigation-fundamentals/
  138.  
  139. -- DO VIM THIS TUTORIAL --
  140.  
  141.  
  142.  
  143. #########################################################################
  144. # What kind of Linux am I on and how can I find out? #
  145. # Great reference: #
  146. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  147. #########################################################################
  148. - What’s the distribution type? What version?
  149. -------------------------------------------
  150. cat /etc/issue
  151. cat /etc/*-release
  152. cat /etc/lsb-release # Debian based
  153. cat /etc/redhat-release # Redhat based
  154.  
  155.  
  156.  
  157. - What’s the kernel version? Is it 64-bit?
  158. -------------------------------------------
  159. cat /proc/version
  160. uname -a
  161. uname -mrs
  162. rpm -q kernel
  163. dmesg | grep Linux
  164. ls /boot | grep vmlinuz-
  165.  
  166.  
  167.  
  168. - What can be learnt from the environmental variables?
  169. ----------------------------------------------------
  170. cat /etc/profile
  171. cat /etc/bashrc
  172. cat ~/.bash_profile
  173. cat ~/.bashrc
  174. cat ~/.bash_logout
  175. env
  176. set
  177.  
  178.  
  179. - What services are running? Which service has which user privilege?
  180. ------------------------------------------------------------------
  181. ps aux
  182. ps -ef
  183. top
  184. cat /etc/services
  185.  
  186.  
  187. - Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  188. ---------------------------------------------------------------------------------------------------------------
  189. ps aux | grep root
  190. ps -ef | grep root
  191.  
  192.  
  193.  
  194. - What applications are installed? What version are they? Are they currently running?
  195. ------------------------------------------------------------------------------------
  196. ls -alh /usr/bin/
  197. ls -alh /sbin/
  198. dpkg -l
  199. rpm -qa
  200. ls -alh /var/cache/apt/archivesO
  201. ls -alh /var/cache/yum/
  202.  
  203.  
  204. - Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  205. ------------------------------------------------------------------------------------
  206. cat /etc/syslog.conf
  207. cat /etc/chttp.conf
  208. cat /etc/lighttpd.conf
  209. cat /etc/cups/cupsd.conf
  210. cat /etc/inetd.conf
  211. cat /etc/apache2/apache2.conf
  212. cat /etc/my.conf
  213. cat /etc/httpd/conf/httpd.conf
  214. cat /opt/lampp/etc/httpd.conf
  215. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
  216.  
  217.  
  218.  
  219. - What jobs are scheduled?
  220. ------------------------
  221. crontab -l
  222. ls -alh /var/spool/cron
  223. ls -al /etc/ | grep cron
  224. ls -al /etc/cron*
  225. cat /etc/cron*
  226. cat /etc/at.allow
  227. cat /etc/at.deny
  228. cat /etc/cron.allow
  229. cat /etc/cron.deny
  230. cat /etc/crontab
  231. cat /etc/anacrontab
  232. cat /var/spool/cron/crontabs/root
  233.  
  234.  
  235. - Any plain text usernames and/or passwords?
  236. ------------------------------------------
  237. grep -i user [filename]
  238. grep -i pass [filename]
  239. grep -C 5 "password" [filename]
  240. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  241.  
  242.  
  243. - What NIC(s) does the system have? Is it connected to another network?
  244. ---------------------------------------------------------------------
  245. /sbin/ifconfig -a
  246. cat /etc/network/interfaces
  247. cat /etc/sysconfig/network
  248.  
  249.  
  250. - What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  251. ------------------------------------------------------------------------------------------------------------------------
  252. cat /etc/resolv.conf
  253. cat /etc/sysconfig/network
  254. cat /etc/networks
  255. iptables -L
  256. hostname
  257. dnsdomainname
  258.  
  259. - What other users & hosts are communicating with the system?
  260. -----------------------------------------------------------
  261. lsof -i
  262. lsof -i :80
  263. grep 80 /etc/services
  264. netstat -antup
  265. netstat -antpx
  266. netstat -tulpn
  267. chkconfig --list
  268. chkconfig --list | grep 3:on
  269. last
  270. w
  271.  
  272.  
  273.  
  274. - Whats cached? IP and/or MAC addresses
  275. -------------------------------------
  276. arp -e
  277. route
  278. /sbin/route -nee
  279.  
  280.  
  281. - Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  282. ------------------------------------------------------------------------------------------
  283. id
  284. who
  285. w
  286. last
  287. cat /etc/passwd | cut -d: # List of users
  288. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  289. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  290. cat /etc/sudoers
  291. sudo -l
  292.  
  293.  
  294.  
  295. - What sensitive files can be found?
  296. ----------------------------------
  297. cat /etc/passwd
  298. cat /etc/group
  299. cat /etc/shadow
  300. ls -alh /var/mail/
  301.  
  302.  
  303.  
  304. - Anything “interesting” in the home directorie(s)? If it’s possible to access
  305. ----------------------------------------------------------------------------
  306. ls -ahlR /root/
  307. ls -ahlR /home/
  308.  
  309.  
  310. - Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  311. ---------------------------------------------------------------------------------------------------------------------------
  312. cat /var/apache2/config.inc
  313. cat /var/lib/mysql/mysql/user.MYD
  314. cat /root/anaconda-ks.cfg
  315.  
  316.  
  317. - What has the user being doing? Is there any password in plain text? What have they been edting?
  318. -----------------------------------------------------------------------------------------------
  319. cat ~/.bash_history
  320. cat ~/.nano_history
  321. cat ~/.atftp_history
  322. cat ~/.mysql_history
  323. cat ~/.php_history
  324.  
  325.  
  326.  
  327. - What user information can be found?
  328. -----------------------------------
  329. cat ~/.bashrc
  330. cat ~/.profile
  331. cat /var/mail/root
  332. cat /var/spool/mail/root
  333.  
  334.  
  335. - Can private-key information be found?
  336. -------------------------------------
  337. cat ~/.ssh/authorized_keys
  338. cat ~/.ssh/identity.pub
  339. cat ~/.ssh/identity
  340. cat ~/.ssh/id_rsa.pub
  341. cat ~/.ssh/id_rsa
  342. cat ~/.ssh/id_dsa.pub
  343. cat ~/.ssh/id_dsa
  344. cat /etc/ssh/ssh_config
  345. cat /etc/ssh/sshd_config
  346. cat /etc/ssh/ssh_host_dsa_key.pub
  347. cat /etc/ssh/ssh_host_dsa_key
  348. cat /etc/ssh/ssh_host_rsa_key.pub
  349. cat /etc/ssh/ssh_host_rsa_key
  350. cat /etc/ssh/ssh_host_key.pub
  351. cat /etc/ssh/ssh_host_key
  352.  
  353.  
  354. - Any settings/files (hidden) on website? Any settings file with database information?
  355. ------------------------------------------------------------------------------------
  356. ls -alhR /var/www/
  357. ls -alhR /srv/www/htdocs/
  358. ls -alhR /usr/local/www/apache22/data/
  359. ls -alhR /opt/lampp/htdocs/
  360. ls -alhR /var/www/html/
  361.  
  362.  
  363. - Is there anything in the log file(s) (Could help with “Local File Includes”!)
  364. -----------------------------------------------------------------------------
  365. cat /etc/httpd/logs/access_log
  366. cat /etc/httpd/logs/access.log
  367. cat /etc/httpd/logs/error_log
  368. cat /etc/httpd/logs/error.log
  369. cat /var/log/apache2/access_log
  370. cat /var/log/apache2/access.log
  371. cat /var/log/apache2/error_log
  372. cat /var/log/apache2/error.log
  373. cat /var/log/apache/access_log
  374. cat /var/log/apache/access.log
  375. cat /var/log/auth.log
  376. cat /var/log/chttp.log
  377. cat /var/log/cups/error_log
  378. cat /var/log/dpkg.log
  379. cat /var/log/faillog
  380. cat /var/log/httpd/access_log
  381. cat /var/log/httpd/access.log
  382. cat /var/log/httpd/error_log
  383. cat /var/log/httpd/error.log
  384. cat /var/log/lastlog
  385. cat /var/log/lighttpd/access.log
  386. cat /var/log/lighttpd/error.log
  387. cat /var/log/lighttpd/lighttpd.access.log
  388. cat /var/log/lighttpd/lighttpd.error.log
  389. cat /var/log/messages
  390. cat /var/log/secure
  391. cat /var/log/syslog
  392. cat /var/log/wtmp
  393. cat /var/log/xferlog
  394. cat /var/log/yum.log
  395. cat /var/run/utmp
  396. cat /var/webmin/miniserv.log
  397. cat /var/www/logs/access_log
  398. cat /var/www/logs/access.log
  399. ls -alh /var/lib/dhcp3/
  400. ls -alh /var/log/postgresql/
  401. ls -alh /var/log/proftpd/
  402. ls -alh /var/log/samba/
  403.  
  404. - Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  405.  
  406.  
  407.  
  408.  
  409. #################
  410. # IPTables Demo #
  411. #################
  412. - Reference:
  413. http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
  414.  
  415. - Delete Existing Rules
  416. ---------------------
  417. sudo /sbin/iptables -F
  418. (or)
  419. sudo /sbin/iptables --flush
  420.  
  421.  
  422.  
  423. - Set Default Chain Policies
  424. --------------------------
  425. iptables -P INPUT DROP
  426. iptables -P FORWARD DROP
  427. iptables -P OUTPUT DROP
  428.  
  429.  
  430.  
  431. - Delete Existing Rules
  432. ---------------------
  433. sudo /sbin/iptables -F
  434. (or)
  435. sudo /sbin/iptables --flush
  436.  
  437.  
  438. - Block a Specific ip-address
  439. ---------------------------
  440. BLOCK_THIS_IP="1.2.3.4"
  441. iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
  442.  
  443.  
  444. iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
  445. iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
  446.  
  447.  
  448. - Allow ALL Incoming SSH
  449. ----------------------
  450. iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  451. iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  452.  
  453.  
  454. - Allow Incoming SSH only from a Sepcific Network
  455. -----------------------------------------------
  456. iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  457. iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  458.  
  459.  
  460. - Allow Incoming HTTP and HTTPS
  461. -----------------------------
  462. iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  463. iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
  464.  
  465.  
  466. iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  467. iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
  468.  
  469.  
  470.  
  471. - Combine Multiple Rules Together using MultiPorts
  472. ------------------------------------------------
  473. iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
  474. iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
  475.  
  476.  
  477. - Allow Outgoing SSH
  478. ------------------
  479. iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  480. iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  481.  
  482.  
  483.  
  484.  
  485.  
  486.  
  487.  
  488.  
  489.  
  490. ####################
  491. # MD5 Hashing Demo #
  492. ####################
  493. mkdir ~/demo
  494. cd ~/demo
  495.  
  496.  
  497.  
  498. mkdir hashdemo
  499. cd hashdemo
  500. echo test > test.txt
  501. cat test.txt
  502. md5sum test.txt
  503. echo hello >> test.txt
  504. cat test.txt
  505. md5sum test.txt
  506. cd ..
  507.  
  508.  
  509.  
  510. Reference:
  511. https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/
  512.  
  513.  
  514. #################################
  515. # Symmetric Key Encryption Demo #
  516. #################################
  517. mkdir gpgdemo
  518. cd gpgdemo
  519. echo test > test.txt
  520. cat test.txt
  521. gpg -c test.txt
  522. password
  523. password
  524. ls | grep test
  525. cat test.txt
  526. cat test.txt.gpg
  527. rm -rf test.txt
  528. ls | grep test
  529. gpg -o output.txt test.txt.gpg
  530. cat output.txt
  531.  
  532.  
  533. #########################################################################################################################
  534. # Asymmetric Key Encryption Demo #
  535. # #
  536. # Configure random number generator #
  537. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  538. #########################################################################################################################
  539.  
  540. sudo apt-get install rng-tools
  541. strategicsec
  542.  
  543. /etc/init.d/rng-tools start
  544.  
  545. sudo rngd -r /dev/urandom
  546. strategicsec
  547.  
  548.  
  549. echo hello > file1.txt
  550. echo goodbye > file2.txt
  551. echo green > file3.txt
  552. echo blue > file4.txt
  553.  
  554. tar czf files.tar.gz *.txt
  555.  
  556. gpg --gen-key
  557. 1
  558. 1024
  559. 0
  560. y
  561. John Doe
  562. john@doe.com
  563. --blank comment--
  564. O
  565. password
  566. password
  567.  
  568.  
  569.  
  570. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  571.  
  572. cat file-enc-pubkey.txt
  573.  
  574. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  575.  
  576. cat file-enc-privkey.asc
  577.  
  578. gpg --encrypt --recipient 'John Doe' files.tar.gz
  579.  
  580. rm -rf files.tar.gz *.txt
  581.  
  582. ls
  583.  
  584. tar -zxvf files.tar.gz.gpg
  585.  
  586. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  587. password
  588.  
  589. tar -zxvf output.tar.gz
  590.  
  591. ls
  592.  
  593. Reference:
  594. http://linoxide.com/security/gpg-comand-linux-how-to-encrypt-and-decrypt-file/
  595.  
  596.  
  597.  
  598. ############################
  599. # Encryption using OpenSSL #
  600. ############################
  601. openssl genrsa -out private_key.pem 1024
  602. openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
  603.  
  604.  
  605. echo hello > encrypt.txt
  606. openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
  607.  
  608. cat encrypt.dat
  609.  
  610. rm -rf encrypt.txt
  611.  
  612. ls
  613.  
  614. openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
  615.  
  616. cat decrypt.txt
  617.  
  618.  
  619.  
  620.  
  621. ##############################################
  622. # Log Analysis with Linux command-line tools #
  623. ##############################################
  624. - The following command line executables are found in the Mac as well as most Linux Distributions.
  625.  
  626. cat – prints the content of a file in the terminal window
  627. grep – searches and filters based on patterns
  628. awk – can sort each row into fields and display only what is needed
  629. sed – performs find and replace functions
  630. sort – arranges output in an order
  631. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  632.  
  633.  
  634.  
  635. ###############
  636. # Apache Logs #
  637. ###############
  638.  
  639. Reference:
  640. http://www.the-art-of-web.com/system/logs/
  641.  
  642. wget https://s3.amazonaws.com/SecureNinja/Python/access_log
  643.  
  644.  
  645. - You want to list all user agents ordered by the number of times they appear (descending order):
  646.  
  647. awk -F\" '{print $6}' access_log | sort | uniq -c | sort -fr
  648.  
  649.  
  650.  
  651. - Using the default separator which is any white-space (spaces or tabs) we get the following:
  652.  
  653. awk '{print $1}' access_log # ip address (%h)
  654. awk '{print $2}' access_log # RFC 1413 identity (%l)
  655. awk '{print $3}' access_log # userid (%u)
  656. awk '{print $4,5}' access_log # date/time (%t)
  657. awk '{print $9}' access_log # status code (%>s)
  658. awk '{print $10}' access_log # size (%b)
  659.  
  660. - You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
  661.  
  662. awk -F\" '{print $2}' access_log # request line (%r)
  663. awk -F\" '{print $4}' access_log # referer
  664. awk -F\" '{print $6}' access_log # user agent
  665.  
  666.  
  667. awk -F\" '{print $6}' access_log \
  668. | sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \
  669. | sort | uniq -c | sort -fr
  670.  
  671.  
  672. - The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site?
  673.  
  674. awk -F\" '($6 ~ /Googlebot/){print $2}' access_log | awk '{print $2}'
  675. Or who's been looking at your guestbook?
  676.  
  677. awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log
  678.  
  679.  
  680. Reference:
  681. https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
  682.  
  683. # top 20 URLs from the last 5000 hits
  684. tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  685. tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  686.  
  687. # top 20 URLS excluding POST data from the last 5000 hits
  688. tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  689. tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  690.  
  691. # top 20 IPs from the last 5000 hits
  692. tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
  693. tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  694.  
  695. # top 20 URLs requested from a certain ip from the last 5000 hits
  696. IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  697. IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  698.  
  699. # top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
  700. IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  701. IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  702.  
  703. # top 20 referrers from the last 5000 hits
  704. tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
  705. tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
  706.  
  707. # top 20 user agents from the last 5000 hits
  708. tail -5000 ./access_log | cut -d\ -f12- | sort | uniq -c | sort -rn | head -20
  709.  
  710. # sum of data (in MB) transferred in the last 5000 hits
  711. tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
  712.  
  713.  
  714. ##############
  715. # Cisco Logs #
  716. ##############
  717.  
  718. wget https://s3.amazonaws.com/StrategicSec-Files/LogAnalysis/cisco.log
  719.  
  720.  
  721. AWK Basics
  722. ----------
  723. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  724.  
  725. cat cisco.log | awk '{print $5}' | tail -n 4
  726.  
  727.  
  728.  
  729.  
  730. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  731.  
  732. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  733.  
  734.  
  735.  
  736.  
  737. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  738.  
  739. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  740.  
  741.  
  742.  
  743.  
  744.  
  745. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  746.  
  747. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  748.  
  749. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  750.  
  751. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  752.  
  753. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  754.  
  755.  
  756.  
  757. ###########################
  758. # Target IP Determination #
  759. ###########################
  760. - This portion starts the actual workshop content
  761. - Zone Transfer fails on most domains, but here is an example of one that works:
  762. dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
  763.  
  764.  
  765. - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
  766. perl blindcrawl.pl -d motorola.com
  767. Look up the IP addresses at:
  768. http://www.networksolutions.com/whois/index.jsp
  769.  
  770. cd ~/toolz/fierce2
  771. sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim
  772. strategicsec
  773. wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
  774. tar -zxvf Template-Toolkit-2.14.tar.gz
  775. cd Template-Toolkit-2.14/
  776. perl Makefile.PL
  777. y
  778. y
  779. n
  780. y
  781. sudo make install
  782.  
  783. sudo bash install.sh
  784.  
  785. ./fierce
  786.  
  787. ./fierce -dns motorola.com
  788.  
  789. cd ~/toolz/
  790.  
  791.  
  792.  
  793.  
  794. - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
  795. cd ~/toolz/
  796. ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
  797.  
  798.  
  799. sudo nmap -sL 148.87.1.0-255
  800. sudo nmap -sL 148.87.1.0-255 | grep oracle
  801.  
  802.  
  803.  
  804.  
  805.  
  806.  
  807. ###########################
  808. # Load Balancer Detection #
  809. ###########################
  810.  
  811. - Here are some options to use for identifying load balancers:
  812. - http://toolbar.netcraft.com/site_report/
  813. - Firefox LiveHTTP Headers
  814.  
  815.  
  816. - Here are some command-line options to use for identifying load balancers:
  817.  
  818. dig google.com
  819.  
  820. cd ~/toolz
  821. ./lbd-0.1.sh google.com
  822.  
  823.  
  824. halberd microsoft.com
  825. halberd motorola.com
  826. halberd oracle.com
  827.  
  828.  
  829.  
  830.  
  831.  
  832. ######################################
  833. # Web Application Firewall Detection #
  834. ######################################
  835.  
  836. cd ~/toolz/wafw00f
  837. python wafw00f.py http://www.oracle.com
  838. python wafw00f.py http://www.strategicsec.com
  839.  
  840.  
  841. cd ~/toolz/
  842. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  843.  
  844. sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
  845.  
  846.  
  847. #########################
  848. # Playing with Nmap NSE #
  849. #########################
  850.  
  851. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  852.  
  853. nmap -p80 --script dns-brute strategicsec.com
  854.  
  855. nmap --script http-robtex-reverse-ip secore.info
  856.  
  857. nmap -Pn -p80 --script=http-headers strategicsec.com
  858.  
  859.  
  860. ls /usr/share/nmap/scripts | grep http
  861. nmap -Pn -p80 --script=http-* strategicsec.com
  862.  
  863. sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 148.87.1.0/24
  864.  
  865. sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 148.87.1.0/24
  866.  
  867. sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 148.87.1.0/24
  868.  
  869. sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 148.87.1.0/24
  870.  
  871. sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 148.87.1.0/24
  872.  
  873. sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 148.87.1.0/24
  874.  
  875. sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 148.87.1.0/24
  876.  
  877. sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 148.87.1.0/24
  878.  
  879. sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 148.87.1.0/24
  880.  
  881. sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 148.87.1.0/24
  882.  
  883. sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 148.87.1.0/24
  884.  
  885. sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 148.87.1.0/24
  886.  
  887. ############
  888. # Nmap NSE #
  889. ############
  890.  
  891. - Reference for this tutorial is:
  892. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
  893.  
  894. ----------------------------------------------------------------------
  895. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  896.  
  897. -- The Head Section --
  898. -- The Rule Section --
  899. portrule = function(host, port)
  900. return port.protocol == "tcp"
  901. and port.number == 80
  902. and port.state == "open"
  903. end
  904.  
  905. -- The Action Section --
  906. action = function(host, port)
  907. return "Linux for InfoSec Professionals!"
  908. end
  909. ----------------------------------------------------------------------
  910.  
  911. - Ok, now that we've made that change let's run the script
  912. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  913.  
  914.  
  915.  
  916.  
  917.  
  918.  
  919. ----------------------------------------------------------------------
  920. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  921.  
  922. -- The Head Section --
  923. local shortport = require "shortport"
  924.  
  925. -- The Rule Section --
  926. portrule = shortport.http
  927.  
  928.  
  929. -- The Action Section --
  930. action = function(host, port)
  931. return "Linux for InfoSec Professionals!"
  932. end
  933. ----------------------------------------------------------------------
  934.  
  935. - Ok, now that we've made that change let's run the script
  936. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  937.  
  938.  
  939.  
  940.  
  941.  
  942.  
  943.  
  944. ----------------------------------------------------------------------
  945. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  946.  
  947. -- The Head Section --
  948. local shortport = require "shortport"
  949. local http = require "http"
  950.  
  951. -- The Rule Section --
  952. portrule = shortport.http
  953.  
  954. -- The Action Section --
  955. action = function(host, port)
  956.  
  957. local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/"
  958. local response = http.get(host, port, uri)
  959. return response.status
  960.  
  961. end
  962. ----------------------------------------------------------------------
  963.  
  964. - Ok, now that we've made that change let's run the script
  965. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  966.  
  967.  
  968.  
  969.  
  970. ----------------------------------------------------------------------
  971. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  972.  
  973. -- The Head Section --
  974. local shortport = require "shortport"
  975. local http = require "http"
  976.  
  977. -- The Rule Section --
  978. portrule = shortport.http
  979.  
  980. -- The Action Section --
  981. action = function(host, port)
  982.  
  983. local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/"
  984. local response = http.get(host, port, uri)
  985.  
  986. if ( response.status == 200 ) then
  987. return response.body
  988. end
  989.  
  990. end
  991. ----------------------------------------------------------------------
  992.  
  993. - Ok, now that we've made that change let's run the script
  994. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  995.  
  996.  
  997.  
  998.  
  999.  
  1000.  
  1001.  
  1002.  
  1003.  
  1004. ----------------------------------------------------------------------
  1005. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1006.  
  1007. -- The Head Section --
  1008. local shortport = require "shortport"
  1009. local http = require "http"
  1010. local string = require "string"
  1011.  
  1012. -- The Rule Section --
  1013. portrule = shortport.http
  1014.  
  1015. -- The Action Section --
  1016. action = function(host, port)
  1017.  
  1018. local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/"
  1019. local response = http.get(host, port, uri)
  1020.  
  1021. if ( response.status == 200 ) then
  1022. local title = string.match(response.body, "Pentest Candidate Program")
  1023. return title
  1024. end
  1025.  
  1026. end
  1027. ----------------------------------------------------------------------
  1028.  
  1029. - Ok, now that we've made that change let's run the script
  1030. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  1031.  
  1032.  
  1033.  
  1034.  
  1035.  
  1036.  
  1037.  
  1038. ----------------------------------------------------------------------
  1039. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  1040.  
  1041. -- The Head Section --
  1042. local shortport = require "shortport"
  1043. local http = require "http"
  1044. local string = require "string"
  1045.  
  1046. -- The Rule Section --
  1047. portrule = shortport.http
  1048.  
  1049. -- The Action Section --
  1050. action = function(host, port)
  1051.  
  1052. local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/"
  1053. local response = http.get(host, port, uri)
  1054.  
  1055. if ( response.status == 200 ) then
  1056. local title = string.match(response.body, "Pentest Candidate Program")
  1057.  
  1058. if (title) then
  1059. return "Vulnerable"
  1060. else
  1061. return "Not Vulnerable"
  1062. end
  1063. end
  1064. end
  1065.  
  1066. ----------------------------------------------------------------------
  1067.  
  1068. - Ok, now that we've made that change let's run the script
  1069. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  1070.  
  1071.  
  1072.  
  1073.  
  1074.  
  1075.  
  1076.  
  1077.  
  1078.  
  1079. #############################
  1080. # Linux For InfoSe Homework #
  1081. #############################
  1082. In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.
  1083.  
  1084.  
  1085. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)
  1086.  
  1087.  
  1088.  
  1089.  
  1090. ##############################
  1091. # Linux For InfoSe Challenge #
  1092. ##############################
  1093.  
  1094. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/b5SxBRf6).
  1095.  
  1096. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)
  1097.  
  1098.  
  1099.  
  1100.  
  1101. IMPORTANT NOTE:
  1102. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 16th at midnight EST.
Add Comment
Please, Sign In to add comment