View difference between Paste ID: <a href="/6cPavK1N">6cPavK1N</a> and <a href="/KiFN5mmX">KiFN5mmX</a> - Pastebin.com

View difference between Paste ID: 6cPavK1N and KiFN5mmX

SHOW: | | - or go back to the newest paste.

                               #############################
# PMRF Intro to Linux & Comptia Linux+ Exam Prep    # 
############################## # Day 1: Linux Fundamentals # ##############################
# By Joe McCray aegisweaponssystem                  #
                               #############################








#####################################################
# 2020 Intro to Linux & Comptia Linux+ Exam Prep    # 
# By Joe McCray                                     #
#####################################################

- Here is a good set of slides for getting started with Linux:
http://www.slideshare.net/olafusimichael/linux-training-24086319

Host Name:          45.32.217.27

- Here is a good tutorial that you should complete before doing the labs below:
http://linuxsurvival.com/linux-tutorial-introduction/
username:           pmrf

password:           

- I prefer to use Putty to SSH into my Linux host.
- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

Here is the information to put into putty

Host Name:          149.28.201.171
protocol:           ssh
port:               22
username:           linuxtraining
password:           linux!training123!


########################
# Basic Linux Commands #
########################

---------------------------Type This-----------------------------------
cd ~

pwd

whereis pwd

which pwd

sudo find / -name pwd

/bin/pwd

cd ~/students/

mkdir yourname					<---- replace 'yourname' with your first name in lowercase with no spaces or special characters please

cd yourname						<---- replace 'yourname' with your first name in lowercase with no spaces or special characters please

touch one two three

ls -l t							(without pressing the Enter key, press the Tab key twice. What happens?)

h								(and again without pressing the Enter key, press the Tab key twice. What happens?)

Press the 'Up arrow key'		(What happens?)

Press 'Ctrl-A'					(What happens?)

ls

clear							(What happens?)

echo one > one

cat one							(What happens?)

man cat							(What happens?)
	q

cat two

cat one > two

cat two

cat one two > three

cat three

echo four >> three

cat three 						(What happens?)

wc -l three

man wc
	q

info wc
	q

cat three | grep four

cat three | grep one

man grep
	q


man ps
	q

ps

ps aux

ps aux | less

Press the 'Up arrow key'		(What happens?)

Press the 'Down arrow key'		(What happens?)
	q

cd ~/yourname/

    q
-----------------------------------------------------------------------


#########
# Files #
#########
---------------------------Type This-----------------------------------
cd ~

pwd

cd ~/students/yourname/

pwd

ls

mkdir LinuxBasics

cd LinuxBasics

pwd

ls

mkdir files

touch one two three

cp one files/

ls files/

cd files/

cp ../two .

ls

cp ../three .

ls

tar cvf files.tar *

ls

gzip files.tar

ls

rm -rf one two three

ls

tar -zxvf files.tar.gz

rm -rf files.tar.gz

cd ~/yourname/LinuxBasics


unzip -l data.zip

mkdir /tmp/yourname/

unzip data.zip -d /tmp/yourname/
-----------------------------------------------------------------------



############
# VIM Demo #
############
---------------------------Type This-----------------------------------
cd ~/students/yourname/LinuxBasics

mkdir vimlesson

cd vimlesson

vi lesson1.sh

i								(press "i" to get into INSERT mode and then paste in the lines below)

#!/bin/bash

echo "This is my first time using vi to create a shell script"
echo " "
echo " "
echo " "
sleep 5
echo "Ok, now let's clear the screen"
sleep 3
clear


---------------don't put this line in your script----------------------------

ESC			(press the ESC key to get you out of INSERT mode)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.


wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).



vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

/echo		(typing "/echo" immediately after SHIFT: will search the file for the word echo).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

dd		(typing "dd" will delete the line that you are on)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

dd		(typing "dd" will delete the line that you are on)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

syntax on		(typing "syntax on" immediately after SHIFT: will turn on syntax highlighting

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set tabstop=5	(typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi .vimrc
i			(press "i" to get into INSERT mode and then paste in the lines below)


set number
syntax on
set tabstop=5

ESC			(press the ESC key to get you out of INSERT mode)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).






vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

echo $MYVIMRC	(typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
cd ~/yourname/LinuxBasics

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
-----------------------------------------------------------------------








###############
# Permissions #
###############
---------------------------Type This-----------------------------------
cd ~/students/yourname/LinuxBasics

ls -l one
-----------------------------------------------------------------------
We can determine a lot from examining the results of this command. The file "one" is owned by user "me". 
Now "me" has the right to read and write this file. 
The file is owned by the group "me". Members of the group "me" can also read and write this file. 
Everybody else can read this file


---------------------------Type This-----------------------------------
ls -l /bin/bash
-----------------------------------------------------------------------

Here we can see:

The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file. 
The file is owned by the group "root". Members of the group "root" can also read and execute this file.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Everybody else can read and execute this file


The next command you need to know is "chmod"
rwx rwx rwx = 111 111 111
rw- rw- rw- = 110 110 110
rwx --- --- = 111 000 000

and so on...

rwx = 111 in binary = 7
rw- = 110 in binary = 6
r-x = 101 in binary = 5
r-- = 100 in binary = 4


---------------------------Type This-----------------------------------
ls -l one

chmod 600 one

ls -l one

sudo useradd yourname
	aegisweaponssystem


sudo passwd yourname

     P@$$w0rd321
     P@$$w0rd321

sudo chown testuser one
	aegisweaponssystem

ls -l one

sudo chgrp testuser one
	aegisweaponssystem

ls -l one

id

su testuser
     P@$$w0rd321
-----------------------------------------------------------------------

Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.

Value	Meaning
777 (rwxrwxrwx) 	No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.

755 (rwxr-xr-x) 	The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.

700 (rwx------) 	The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.

666 (rw-rw-rw-) 	All users may read and write the file.

644 (rw-r--r--) 	The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.

600 (rw-------) 	The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.



Directory permissions
---------------------
The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:

Value	Meaning
777 (rwxrwxrwx) 	No restrictions on permissions. 
Anybody may list files, create new files in the directory and delete files in the directory. 
Generally not a good setting.



755 (rwxr-xr-x) 	The directory owner has full access. 
All others may list the directory, but cannot create files nor delete them. 
This setting is common for directories that you wish to share with other users.



700 (rwx------) 	The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.

######################
# Process Management #
######################
---------------------------Type This-----------------------------------
top
	q

htop
	q

ps

ps aux

ps -A

ps -A | less

ps axjf

pstree

pstree -A

pgrep bash

pgrep init

ps aux | grep apache
-----------------------------------------------------------------------



You can list all of the signals that are possible to send with kill by typing:
---------------------------Type This-----------------------------------
kill -l

sudo kill -HUP pid_of_apache

cd ~/yourname/LinuxBasics


pkill -9 ping
The above command is the equivalent of:

kill -9 `pgrep ping`
-----------------------------------------------------------------------




################
# Hashing Demo #
################
---------------------------Type This-----------------------------------
cd ~/students/yourname/LinuxBasics

mkdir hashdemo

cd hashdemo

echo test > test.txt

cat test.txt

md5sum test.txt

echo hello >> test.txt

cat test.txt

md5sum test.txt

echo test2 > test2.txt

cat test2.txt

sha256sum test2.txt

cd ~/yourname/LinuxBasics


cat test2.txt

sha256sum test2.txt

cd ..
-----------------------------------------------------------------------



#################################
# Symmetric Key Encryption Demo #
#################################
---------------------------Type This-----------------------------------
cd ~/students/yourname/LinuxBasics

mkdir gpgdemo

cd gpgdemo

echo test > test.txt

cat test.txt

gpg -c test.txt
	password
	password

ls | grep test

cat test.txt

cat test.txt.gpg

rm -rf test.txt

ls | grep test

cd ~/yourname/LinuxBasics/gpgdemo

	P@$$w0rD!@#$P@$$w0rD!@#$

cat output.txt
-----------------------------------------------------------------------



#########################################################################################################################
# Asymmetric Key Encryption Demo 											                                            #
#															                                                            #
# Configure random number generator 											                                        #
# https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny	    #
#########################################################################################################################
---------------------------Type This-----------------------------------
cd ~/students/yourname/LinuxBasics/gpgdemo

echo hello > file1.txt

echo goodbye > file2.txt

		password

		password	

echo blue > file4.txt

tar czf files.tar.gz *.txt

gpg --gen-key
	1
	1024
	0
	y
	John Doe
	john@doe.com
	--blank comment--
	O
		P@$$w0rD!@#$P@$$w0rD!@#$
		P@$$w0rD!@#$P@$$w0rD!@#$	



gpg --armor --output file-enc-pubkey.txt --export 'John Doe'

cat file-enc-pubkey.txt

gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'

cat file-enc-privkey.asc

gpg --encrypt --recipient 'John Doe' files.tar.gz

rm -rf files.tar.gz *.txt

ls

tar -zxvf files.tar.gz.gpg

gpg --output output.tar.gz --decrypt files.tar.gz.gpg
	P@$$w0rD!@#$P@$$w0rD!@#$

tar -zxvf output.tar.gz

ls
-----------------------------------------------------------------------



##############################################
# Log Analysis with Linux command-line tools #
##############################################
- The following command line executables are found in the Mac as well as most Linux Distributions.
 
wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log

grep – searches and filters based on patterns
awk –  can sort each row into fields and display only what is needed
sed –  performs find and replace functions
sort – arranges output in an order
uniq – compares adjacent lines and can report, filter or provide a count of duplicates
 
 
 
 
 
##############
# Cisco Logs #
##############
---------------------------Type This-----------------------------------
cd ~/students/yourname/ 
mkdir security
cd security
mkdir log_analysis
cd log_analysis
wget http://45.63.104.73/cisco.log
-----------------------------------------------------------------------


AWK Basics
----------
- To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
---------------------------Type This----------------------------------- 
cat cisco.log | awk '{print $5}' | tail -n 4
----------------------------------------------------------------------- 
 
 
 
- Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
---------------------------Type This----------------------------------- 
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
----------------------------------------------------------------------- 
 
 
 
- While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
---------------------------Type This----------------------------------- 
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).

 
 
The fastest thing you can do is perform static analysis. 

 
- Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
---------------------------Type This----------------------------------- 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:
# Static Analysis #

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
 
cd Desktop/

-----------------------------------------------------------------------

- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':



cd ~/Desktop/

wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
##################
wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
# Day 1 Homework #
##################
Task Option 1: Linux Survival
-----------------------------
Do all of the exercises in Linux Survival (http://linuxsurvival.com/linux-tutorial-introduction/)
Create a word document that contains the screenshots of the quizzes NOTE: You must score a perfect 100 for all 4 quizzes
Name the word document 'YourFirstName-YourLastName-LinuxDay1-LinuxSurvival.docx' (ex: 'Joseph-McCray-LinuxDay1-LinuxSurvival.docx')
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow


Task Option 2: Basic Shell Scripting
------------------------------------
Watch and do all of the exercises in the video https://www.youtube.com/watch?v=_n5ZegzieSQ
Create a word document that contains the screenshots of the tasks performed in this video
Name the word document 'YourFirstName-YourLastName-LinuxDay1-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay1-ShellScripting.docx')
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow













                               ###########################
############################## # Day 2: Malware Analysis # ##############################
                               ###########################



################
# The Scenario #
################
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts). The fastest thing you can do is perform static analysis. 



####################
# Malware Analysis #
####################



- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------
cd ~/students/yourname/security/
mkdir malware_analysis
cd malware_analysis
-----------------------------------------------------------------------
sudo apt-get install -y python-pefile

     malware
- This is actual Malware (remember to run it in a VM - the password to extract it is 'infected':
 
---------------------------Type This-----------------------------------
wget https://infosecaddicts-files.s3.amazonaws.com/malware-password-is-infected.zip --no-check-certificate
wget https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py --no-check-certificate
wget https://infosecaddicts-files.s3.amazonaws.com/wannacry.zip --no-check-certificate
 
unzip malware-password-is-infected.zip
    infected
 
file malware.exe
 
mv malware.exe malware.pdf
 
file malware.pdf
 
mv malware.pdf malware.exe
 
hexdump -n 2 -C malware.exe
-----------------------------------------------------------------------
 
 
***What is '4d 5a' or 'MZ'***
Reference:
cd Desktop/

 
wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip







---------------------------Type This-----------------------------------
objdump -x malware.exe
 
strings malware.exe
 
strings --all malware.exe | head -n 6
 
strings malware.exe | grep -i dll
 
strings malware.exe | grep -i library
 
strings malware.exe | grep -i reg
 
strings malware.exe | grep -i hkey
 
strings malware.exe | grep -i hku
-----------------------------------------------------------------------
                            - We didn't see anything like HKLM, HKCU or other registry type stuff
 
 
---------------------------Type This-----------------------------------
strings malware.exe | grep -i irc
 
strings malware.exe | grep -i join         
 
strings malware.exe | grep -i admin
 
strings malware.exe | grep -i list
-----------------------------------------------------------------------
 
                            - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
 
---------------------------Type This-----------------------------------
vi analyse_malware.py
 
python analyse_malware.py malware.exe
-----------------------------------------------------------------------
 
 
 
 

 
 
 
- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------
cd ~/students/yourname/security/malware_analysis
 
unzip wannacry.zip
     infected
 
file wannacry.exe
 
mv wannacry.exe malware.pdf
 
file malware.pdf
 
mv malware.pdf wannacry.exe
 
hexdump -n 2 -C wannacry.exe
-----------------------------------------------------------------------
 
 
 
***What is '4d 5a' or 'MZ'***
Reference:
http://www.garykessler.net/library/file_sigs.html
 
 
 
 
---------------------------Type This-----------------------------------
objdump -x wannacry.exe
 
strings wannacry.exe
 
strings --all wannacry.exe | head -n 6
 
strings wannacry.exe | grep -i dll
 
strings wannacry.exe | grep -i library
 
strings wannacry.exe | grep -i reg
 
strings wannacry.exe | grep -i key
 
strings wannacry.exe | grep -i rsa
 
strings wannacry.exe | grep -i open
 
strings wannacry.exe | grep -i get
 
strings wannacry.exe | grep -i mutex
 
strings wannacry.exe | grep -i irc
 
strings wannacry.exe | grep -i join        
 
strings wannacry.exe | grep -i admin
 
strings wannacry.exe | grep -i list
-----------------------------------------------------------------------
 
 
 
 
 
 
Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
 
https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py

 
 
Reference
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
 
- Yara Rule -
 
 
Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
 
sudo apt install -y python-pefile

     infosecaddicts

 
 
 
 
 
Ok, let's look for the individual strings in our file
 
 
---------------------------Type This-----------------------------------
strings wannacry.exe | grep -i ooops
 
strings wannacry.exe | grep -i wanna
 
strings wannacry.exe | grep -i wcry
 
strings wannacry.exe | grep -i wannacry
 
strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....
 -----------------------------------------------------------------------
 
Building a Malware Scanner

--------------------------



mkdir ~/Desktop/malwarescanner

# Good references for WannaCry #
cd ~/Desktop/malwarescanner

 
wget https://github.com/jonahbaron/malwarescanner/archive/master.zip

 
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
cd malwarescanner-master/


python scanner.py -h


cat strings.txt


cat hashes.txt

 
mkdir ~/Desktop/malcode

 
cp ~/Desktop/malware.exe ~/Desktop/malcode

####################################
python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt

####################################
cd ~/Desktop/

 
Reference1:
https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py
 
This is a really good script for the basics of static analysis
# Reference:                                        #

# https://jon.glass/analyzes-dridex-malware-p1/     #

https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
 
cd ~/Desktop/

This is really good for showing some good signatures to add to the Python script
 
sudo pip install olefile

     

https://pastebin.com/guxzCBmP
mkdir ~/Desktop/oledump

 
cd ~/Desktop/oledump

---------------------------Type This-----------------------------------
wget https://pastebin.com/raw/guxzCBmP
 
 
mv guxzCBmP am.py
wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip

 
vi am.py
 
python am.py wannacry.exe
-----------------------------------------------------------------------







##############
# Yara Ninja #
##############
Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
 
Quick Google search for "wannacry ransomeware analysis"
 
 
Reference
https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
 
 
 
- Yara Rule -
 
 
Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
 
 
sudo apt-get remove -y yara

 
 
wget https://github.com/plusvic/yara/archive/v3.4.0.zip

 
sudo apt-get -y install libtool

Ok, let's look for the individual strings
 
unzip v3.4.0.zip

 
cd yara-3.4.0

strings wannacry.exe | grep -i ooops
./bootstrap.sh

strings wannacry.exe | grep -i wanna
./configure

strings wannacry.exe | grep -i wcry
make

strings wannacry.exe | grep -i wannacry
sudo make install

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....
 
yara -v

-----------------------------------------------------------------------
 
 
 
 
Let's see if we can get yara working.
---------------------------Type This-----------------------------------
cd ~/Desktop
cd ~/students/yourname/security/malware_analysis

yara rules-master/packer.yar malcode/malware.exe
mkdir quick_yara

cd quick_yara
Places to get more Yara rules:
wget http://45.63.104.73/wannacry.zip
------------------------------

https://malwareconfig.com/static/yaraRules/

https://github.com/kevthehermit/YaraRules
     **** password is infected ***
https://github.com/VectraThreatLab/reyara

 

 
Yara rule sorting script:

-------------------------

https://github.com/mkayoh/yarasorter

 
nano wannacry_1.yar
 
cd ~/Desktop/rules-master
---------------------------Paste This-----------------------------------
for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
rule wannacry_1 : ransom
cd ~/Desktop/
{
yara rules-master/master.yar malcode/malware.exe
   meta:
       author = "Joshua Cannell"
       description = "WannaCry Ransomware strings"
       weight = 100
       date = "2017-05-12"
 
   strings:
       $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
       $s2 = "Wanna Decryptor" wide ascii nocase
       $s3 = ".wcry" wide ascii nocase
       $s4 = "WANNACRY" wide ascii nocase
Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
       $s5 = "WANACRY!" wide ascii nocase
http://derekmorton.name/files/malware_12-14-12.sql.bz2
       $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
 
   condition:
Malware Repositories:
       any of them
http://malshare.com/index.php
}
http://www.malwareblacklist.com/

http://www.virusign.com/

http://virusshare.com/

http://www.tekdefense.com/downloads/malware-samples/

 
 
 
---------------------------Type This-----------------------------------
 
# Creating a Malware Database #
yara wannacry_1.yar wannacry.exe
 
-----------------------------------------------------------------------
Creating a malware database (sqlite)

 
sudo apt-get install -y python-simplejson python-simplejson-dbg

 
 
wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py

wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip

nano wannacry_2.yar
 
---------------------------Paste This-----------------------------------
rule wannacry_2{
python avsubmit.py --init
   meta:
       author = "Harold Ogden"
python avsubmit.py -f malware.exe -e
       description = "WannaCry Ransomware Strings"
       date = "2017-05-12"
       weight = 100
 
   strings:
       $string1 = "msg/m_bulgarian.wnry"
Creating a malware database (mysql)
       $string2 = "msg/m_chinese (simplified).wnry"
       $string3 = "msg/m_chinese (traditional).wnry"
- Step 1: Installing MySQL database
       $string4 = "msg/m_croatian.wnry"
- Run the following command in the terminal:
       $string5 = "msg/m_czech.wnry"
       $string6 = "msg/m_danish.wnry"
sudo apt-get install mysql-server
       $string7 = "msg/m_dutch.wnry"
       $string8 = "msg/m_english.wnry"
     
       $string9 = "msg/m_filipino.wnry"
- Step 2: Installing Python MySQLdb module
       $string10 = "msg/m_finnish.wnry"
- Run the following command in the terminal:
       $string11 = "msg/m_french.wnry"
       $string12 = "msg/m_german.wnry"
sudo apt-get build-dep python-mysqldb
       $string13 = "msg/m_greek.wnry"
       $string14 = "msg/m_indonesian.wnry"
       $string15 = "msg/m_italian.wnry"
sudo apt-get install python-mysqldb
       $string16 = "msg/m_japanese.wnry"
       $string17 = "msg/m_korean.wnry"
       $string18 = "msg/m_latvian.wnry"
       $string19 = "msg/m_norwegian.wnry"
Step 3: Logging in
       $string20 = "msg/m_polish.wnry"
Run the following command in the terminal:
       $string21 = "msg/m_portuguese.wnry"
       $string22 = "msg/m_romanian.wnry"
mysql -u root -p                    (set a password of 'malware')
       $string23 = "msg/m_russian.wnry"
       $string24 = "msg/m_slovak.wnry"
- Then create one database by running following command:
       $string25 = "msg/m_spanish.wnry"
       $string26 = "msg/m_swedish.wnry"
create database malware;
       $string27 = "msg/m_turkish.wnry"
       $string28 = "msg/m_vietnamese.wnry"
exit;

 
wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
   condition:
       any of ($string*)
vi mal_to_db.py                     (fill in database connection information)
}
----------------------------------------------------------------------------
python mal_to_db.py -i

 
 
------- check it to see if the files table was created ------

 
mysql -u root -p

    malware

 
show databases;

 
use malware;
yara wannacry_2.yar wannacry.exe
 
show tables;

 
describe files;

 
exit;

cd ~/students/yourname/security/malware_analysis/quick_yara

git clone https://github.com/Yara-Rules/rules.git 

- Now add the malicious file to the DB
cd rules/

python mal_to_db.py -f malware.exe -u
./index_gen.sh
 
ls
 
- Now check to see if it is in the DB
cd malware/
 
mysql -u root -p
ls | grep -i ransom
    malware

ls | grep -i rat
mysql> use malware;

ls | grep -i toolkit
select id,md5,sha1,sha256,time FROM files;

ls | grep -i apt
mysql> quit;

cd ..
 
cd capabilities/
 
ls
#################

# PCAP Analysis #
cat capabilities.yar
#################

cd ..
cd ~/Desktop/

cd cve_rules/
mkdir suspiciouspcap/

ls
cd suspiciouspcap/

cd ..
wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap

./index_gen.sh
wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl

cd ..
 
yara -w rules/index.yar wannacry.exe
 
firefox index.html

----------------------------------------------------------------------


References:
https://www.slideshare.net/JohnLaycock1/yet-another-yara-allocution-yaya
https://www.slideshare.net/KasperskyLabGlobal/upping-the-apt-hunting-game-learn-the-best-yara-practices-from-kaspersky






# Intro to TCPDump #

#####################################################
# Analyzing Macro Embedded Malware                  #
sudo apt-get install tcpdump

---------------------------Type This-----------------------------------
cd ~/students/yourname/security/malware_analysis

Basic sniffing
mkdir macro_docs
--------------

cd macro_docs
sudo tcpdump -n

wget https://infosecaddicts-files.s3.amazonaws.com/064016.zip
 
Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy

 
sudo tcpdump -v -n

 
unzip 064016.zip
     infected
Getting the ethernet header (link layer headers)

------------------------------------------------

In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.

python oledump.py 064016.doc -s A4 -v
sudo tcpdump -vv -n -e

 
 
Sniffing a particular interface

-------------------------------

In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.

 
sudo tcpdump -D

python oledump.py 064016.doc -s A5 -v
-----------------------------------------------------------------------
Filtering packets using expressions - Selecting protocols

---------------------------------------------------------

 
$ sudo tcpdump -n tcp

python oledump.py 064016.doc -s A3 -v
 
Particular host or port

-----------------------

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101

 
$ sudo tcpdump -n 'src 192.168.1.101'

http://www.rapidtables.com/convert/number/hex-to-ascii.htm
-----------------------------------------------------------------------
Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.

 
$ sudo tcpdump -n 'udp and dst port 53'

 
#########################################
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 1            #
$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
#########################################
Required Technical Skills:      Comfortable with basic Linux/Windows (MCSA/Linux+)
                                Comfortable with basic network (Network+)
Search the network traffic using grep
                                Comfortable with security fundamentals (Security+)
       
Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

 
$ sudo tcpdump -n -A | grep -e 'POST'

 
Job Task:                       Process security events, follow incident response triage playbook
So what is the idea behind searching packets. Well one good thing can be to sniff passwords.

Here is quick example to sniff passwords using egrep
#########################################
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 2            #
tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
#########################################
 
Required Technical Skills:      Comfortable with basic Linux/Windows system administration
                                Comfortable with basic network administration
                                Comfortable with basic programming
                                Comfortable researching IT security issues
# NGrep #
       
 
 
Install ngrep on Ubuntu

 
$ sudo apt-get install ngrep
Job Task:                       Perform detailed malware analysis, assist with development of the incident response triage playbook
 
Sample Playbook:                https://infosecaddicts-files.s3.amazonaws.com/IR-Program-and-Playbooks.zip
Search network traffic for string "User-Agent: "

 
$ sudo ngrep -d eth0 "User-Agent: " tcp and port 80

#########################################
In the above command :
# Security Operations Center Job Roles  #
a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
# Intrusion Analysis Level 3            #
b) The d option specifies the interface to sniff. eth0 in this case.
#########################################
c) "User-Agent: " is the string to search for. All packets that have that string are displayed.

Required Technical Skills:      Strong statistical analysis background
2. Search network packets for GET or POST requests :
                                Strong programming background (C, C++, Java, Assembly, scripting languages)
                                Advanced system/network administration background
$ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
                                Comfortable researching IT security issues
       
The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).

 
3. ngrep without any options would simply capture all packets.

 
$ sudo ngrep
Job Task:                       Perform detailed malware analysis
                                Perform detailed statistical analysis
                                Assist with development of the incident response triage playbook

https://dl.packetstormsecurity.net/papers/general/ngreptut.txt


$ sudo ngrep -d eth0 -n 3

#################################################
$ sudo ngrep -d any port 25
# Good references for learning Malware Analysis #
#################################################
 
This will let you monitor all activity crossing source or destination port 25

(SMTP).
https://www.slideshare.net/SamBowne/cnit-126-ch-0-malware-analysis-primer-1-basic-static-techniques
https://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-bsideslv-on-august-5-2014
$ sudo ngrep -wi -d wlan0 'user|pass' port 6667
https://www.slideshare.net/Bletchley131/intro-to-static-analysis

$ sudo ngrep -wi -d any 'user|pass' port 21


##################
# Day 2 Homework #
##################

Task Option 1: Basic Shell Scripting
------------------------------------
Watch and do all of the exercises in the video https://www.youtube.com/watch?v=GtovwKDemnI
Create a word document that contains the screenshots of the tasks performed in this video
Name the word document 'YourFirstName-YourLastName-LinuxDay2-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay2-ShellScripting.docx')
sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow


tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
Task Option 2: Advanced Shell Scripting
---------------------------------------
Watch and do all of the exercises in the video https://www.youtube.com/watch?v=aNQCl_ByM20&t=4045s
tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
Create a word document that contains the screenshots of the tasks performed in this video
Name the word document 'YourFirstName-YourLastName-LinuxDay2-AdvancedShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay2-AdvancedShellScripting.docx')
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow
tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'



tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq



tshark -r suspicious-time.pcap -Y "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq


tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq





                               #####################################
############################## # Day 3: Threat Hunting on the wire # ##############################
                               #####################################




- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------
cd ~/students/yourname/security/
mkdir pcap_analysis
cd pcap_analysis
-----------------------------------------------------------------------


 
 
##################################################################
# Analyzing a PCAP Prads                                         #
# Note: run as regular user                                      #
##################################################################
######################################

# PCAP Analysis with forensicPCAP.py #
---------------------------Type this as a regular user----------------------------------
######################################
cd ~/students/yourname/security/pcap_analysis/
 
cd ~/Desktop/suspiciouspcap/
mkdir prads
 
wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
cd prads
 
sudo pip install cmd2==0.7.9
wget http://45.63.104.73/suspicious-time.pcap
 
prads -r suspicious-time.pcap -l prads-asset.log
python forensicPCAP.py suspicious-time.pcap

cat prads-asset.log | less
 
cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
 
ForPCAP >>> help
cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
 
cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
Prints stats about PCAP

 
ForPCAP >>> stat

 
 
Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
##################################
# PCAP Analysis with ChaosReader #
ForPCAP >>> dns
# Note: run as regular user      #
##################################
ForPCAP >>> show
---------------------------Type this as a regular user----------------------------------
cd ~/students/yourname/security/pcap_analysis/
 
Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
mkdir chaos_reader/
 
ForPCAP >>> dstports
cd chaos_reader/
 
ForPCAP >>> show
wget http://45.63.104.73/suspicious-time.pcap
 
wget http://45.63.104.73/chaosreader.pl
Prints the number of ip source and store them.

perl chaosreader.pl suspicious-time.pcap
ForPCAP >>> ipsrc

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
ForPCAP >>> show

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
 
Prints the number of web's requests and store them

ForPCAP >>> web

 
ForPCAP >>> show

 
for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u | awk '{print $5}' > url.lst
 
Prints the number of mail's requests and store them

wget https://raw.githubusercontent.com/Open-Sec/forensics-scripts/master/check-urls-virustotal.py
ForPCAP >>> mail

 
ForPCAP >>> show
python check-urls-virustotal.py url.lst
 
 
 
------------------------------------------------------------------------
 
 
 
# Understanding Snort rules #

 
Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)

 
Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)

#############################
Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)

# Note: run as regular user #
Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)

---------------------------Type this as a regular user---------------------------------
Field 5: Traffic Direction (->)
cd ~/students/yourname/security/pcap_analysis/
 
Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
mkdir tshark
 
Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
cd tshark/
 
Field 8: MSG - what is actually displayed on the analysts machine
wget http://45.63.104.73/suspicious-time.pcap
 
tshark -i ens3 -r suspicious-time.pcap -qz io,phs
Let's look at 2 simple rules

----------------------------------------------------------------------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \

bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \

content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \

00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \

reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)

 
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \

attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \

depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \

00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \

distance:0; within:1; content:”|0b|”; distance:1; within:1; \

byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \

46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \

sid:2193; rev:1;)

----------------------------------------------------------------------------------

 
tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
 
From your Linux machine ping your Windows machine

------------------------------------------------------------------------
ping 192.168.11.1

 


Start wireshark and let's create some simple filters:

###############################
Filter 1:
# Extracting files from PCAPs #
# Note: run as regular user   #
ip.addr==192.168.11.1

---------------------------Type this as a regular user---------------------------------
cd ~/students/yourname/security/pcap_analysis/
Filter 2:

mkdir extract_files
ip.addr==192.168.11.1 && icmp

cd extract_files
 
wget http://45.63.104.73/suspicious-time.pcap
Filter 3:

foremost -v -i suspicious-time.pcap
ip.addr==192.168.11.1 && !(tcp.port==22)

cd output
Now stop your capture and restart it (make sure you keep the filter)

ls
 
cat audit.txt
 
Back to your Linux machine:
cd exe
[ CTRL-C ] - to stop your ping

wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-VirusTotal_API_Tool-Python3/master/vtlite.py
wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
---------------------------------------------------------------------------------------

 
gcc -o exploit oc192-dcom.c
******* NOTE: You will need to put your virustotal API key in vtlite.py *******
* Create an account in virustotal > login > click on your profile > API key > copy API key > in terminal do nano vtlite.py > 
./exploit
* Paste the API key in where it says > profit
********************************************************************************

./exploit -d 192.168.11.1 -t 0
---------------------------Type this as a regular user--------------------------------- 
for f in *.exe; do python3 vtlite.py -s $f; sleep 20; done
---------------------------------------------------------------------------------------


Now go back to WireShark and stop the capture.

# PCAP Analysis with Suricata #
# Note: run as root           #
###############################
--------------------------Type this as root--------------------------------
cd ~/students/yourname/security/pcap_analysis/
 
mkdir suricata
 
cd suricata/
 
wget http://45.63.104.73/suspicious-time.pcap
 
wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
mkdir suri
 
sudo suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
 
cd suri/
 
cat stats.log | less
 
cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
 
cat xx01
 
cat xx02
 
cat xx03
 
cat xx04
 
cat xx05
 
cat xx06
------------------------------------------------------------------------
 
 
#############################
# PCAP Analysis with Yara   #
# Note: run as regular user #
#############################
-------------------------Type this as a regular user----------------------------------
cd ~/students/yourname/security/pcap_analysis/
 
git clone https://github.com/kevthehermit/YaraPcap.git
cd YaraPcap/
wget http://45.63.104.73/suspicious-time.pcap
wget https://github.com/Yara-Rules/rules/archive/master.zip
unzip master.zip
cd rules-master/
ls
cat index.yar
clear
./index_gen.sh
cd ..
mkdir matching_files/
python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
whereis tcpflow
vi yaraPcap.py        **** fix line 35 with correct path to tcpflow (/usr/bin/tcpflow)****
python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
cd matching_files/
ls
cat report.txt
------------------------------------------------------------------------




#################################################################################
# Now that you know packet analysis here are the next set of files to play with #
#################################################################################
https://s3.amazonaws.com/infosecaddictsfiles/Lena151.zip
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/APT41/APT41_StoreSyncSvc.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Agent_Tesla/agenttesla_09July2019.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/CVE-2019-9978/CVE-2019-9978_attempt_05May2019.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Powershell/Powershell_script_19Dec2019.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/sharik_smoke/sharik_smoke.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0703.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0801.pcap
 


References:
https://www.slideshare.net/j0b1n/tcpdump-hunter
https://www.slideshare.net/AviNetworks/reconsider-tcpdump-for-modern-troubleshooting


##################
# Day 3 Homework #
##################

Task Option 1: Shell Scripting
------------------------------------
Watch and do all of the exercises in the video https://www.youtube.com/watch?v=hwrnmQumtPw
Create a word document that contains the screenshots of the tasks performed in this video
Name the word document 'YourFirstName-YourLastName-LinuxDay3-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay3-ShellScripting.docx')
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow


Task Option 2: Python3
---------------------------------------
Watch and do all of the exercises in the first 7 videos from https://www.youtube.com/playlist?list=PLypxmOPCOkHVzhKRcWzEkQXCnmHezGVeB
Create a word document that contains the screenshots of the tasks performed in these videos
Name the word document 'YourFirstName-YourLastName-LinuxDay3-AdvancedShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay3-AdvancedShellScripting.docx')
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow












                               ################################################################
############################## # Day 4: Programming Fundamentals & Offensive Cyber Operations # ##############################
                               ################################################################

------------------------------- Programming fundamentals -------------------------------


Joe rule #1 single quote, single quote, left arrow
--------------------------------------------------
'' <-- as soon as you type '', then hit your left arrow key to put you inside of the '' 
"" <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
something()	<-- as soon as you type (), then hit your left arrow key to put you inside of the ()
something[] <-- as soon as you type [], then hit your left arrow key to put you inside of the []
something{} <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}

-- Now kick it up a notch
[]	<-- as soon as you type [], then hit your left arrow key to put you inside of the []
[()] <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
[({})] <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}
[({"''"})] <-- as soon as you type "", then hit your left arrow key to put you inside of the "" 
[({"''"})] <-- as soon as you type '', then hit your left arrow key to put you inside of the '' 		



Joe rule #2 "Code can only do 3 things"
--------------------------------------

Process		- 	read, write, math

Decision	- 	if/then

Loop		- 	for




Joe rule #3 "Never more than 5-10"
---------------------------------

-----5 lines of code----
line 1 blah blah blah
line 2 blah blah blah
line 3 blah blah blah
line 4 blah blah blah
line 5 blah blah blah


	sales_tax	= 	price		* 	tax_rate


	0.80		=	10		*	0.08

-----5-10 lines of code---- = function
	price = 10
	
	def st():
		sales_tax = price * 0.08
		print(sales_tax)


st(10) <---- how to run a function

-----5-10 functions ---- = class   "tax class"
st()
lt()
pt()
it()
dt()



tax.st()
tax.lt()

-----5-10 functions ---- = class   "expense class"
gas()
elec()
water()
food()
beer()

expense.gas()


-----5-10 classes ---- = module   "finance module"

import finance


------------------------------- Summary of fundamentals ------------------------------















Let's look at a simple for loop
---------------------------Type This-----------------------------------
cd ~/students/yourname/
mkdir programming_fundamentals 
cd programming_fundamentals
cp ~/wannacry.exe .
nano forloop_malware_analysis.sh
 
---------------------------Paste This-----------------------------------
#!/bin/bash

ransomeware=('CryptImportKey' 'CryptDecrypt' 'CryptDestroyKey' 'CryptReleaseContext' 'EntryPo    int' 'CryptAcquireContextA' 'lstrcpyW' 'lstrlenW' 'lstrcatW' 'CloseHandle' 'lstrcmpiA' 'RegOp    enKeyExA' 'lstrlenA' 'RegSetValueExA' 'RegCloseKey' 'RegQueryValueExA' 'GetLastError' 'GetEnv    ironmentVariableA' 'ShellExecuteA' 'Sleep' 'CryptGenKey' 'CryptExportKey' 'CryptEncrypt' 'KiU    serExceptionDispatcher' 'RtlZeroMemory' 'MultiByteToWideChar' 'lstrcatA' 'RegCreateKeyA' 'SHC    hangeNotify' 'SetErrorMode' 'CryptGenKey' 'CryptImportKey');

# This is just a test to read all of the values in the array

#echo ${ransomeware[@]}

# This is a quick for loop to run strings and grep for everything in the array
# Reference: http://www.masteringunixshell.net/qa3/bash-how-to-echo-array.html

for ELEMENT in ${ransomeware[@]}
do
#echo string: $ELEMENT
strings wannacry.exe | grep -i $ELEMENT
done
--------------------------------------------------








Ok, now let's run it
---------------------------Type This-----------------------------------
chmod +x forloop_malware_analysis.sh
./forloop_malware_analysis.sh
------------------------------------------------------------------------






Let's look at a simple menu
---------------------------Type This-----------------------------------
 
nano simple_menu.sh
 
---------------------------Paste This-----------------------------------
#!/bin/bash
# simple menu to do various functions
# Reference: http://www.seafriends.org.nz/linux/menus.htm


while [ answer != "0" ] 
do
clear
echo "Select from the following functions"
echo "  0    exit"
echo "  1    Network Asset Inventory"
echo "  2    IP to IP communication and URL lookup"
echo "  3    Extract files"
echo "  4    exit"


read -p " ?" answer
    case $answer in
       0) break ;;
       1) echo "Network Asset Inventory"
       prads -r suspicious-time.pcap -l prads-asset.log
	   cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
	   cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
	   cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
       ;;
       2) echo "IP to IP communication and URL lookup"
       tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
       ;;
       3) echo "Extract files"
       foremost -v -i suspicious-time.pcap
	   cat output/audit.txt
       ;;
       4) break ;;
       *) break ;;
   esac 
   echo "press RETURN for menu"
   read key
done
exit 0
--------------------------------------------------








Ok, now let's run it
---------------------------Type This-----------------------------------
chmod +x simple_menu.sh
./simple_menu.sh
------------------------------------------------------------------------






Let's look at a simple function
---------------------------Type This-----------------------------------
 
nano hello_world.sh
 
---------------------------Paste This-----------------------------------
#!/bin/bash
# Reference: https://linuxize.com/post/bash-functions/

hello_world () {
   echo 'hello, world'
}

hello_world
--------------------------------------------------






Ok, now let's run it
---------------------------Type This-----------------------------------
chmod +x hello_world.sh
./hello_world.sh
------------------------------------------------------------------------




Let's ask the user a question
---------------------------Type This-----------------------------------
 
nano prompt_for_user_input.sh
 
---------------------------Paste This-----------------------------------
#!/bin/bash
# Reference: https://tecadmin.net/prompt-user-input-in-linux-shell-script/

read -p "Enter Your Name: "  username
echo "Welcome $username!"
------------------------------------------------------------------------






Ok, now let's run it
---------------------------Type This-----------------------------------
chmod +x prompt_for_user_input.sh
./prompt_for_user_input.sh
------------------------------------------------------------------------






Let's make the function do something useful
---------------------------Type This-----------------------------------
 
nano ip_2_url_lookup.sh
 
---------------------------Paste This-----------------------------------
#!/bin/bash
# Reference: https://linuxize.com/post/bash-functions/

do_stuff () {
   tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
}

do_stuff
------------------------------------------------------------------------






Ok, now let's run it
---------------------------Type This-----------------------------------
chmod +x ip_2_url_lookup.sh
./ip_2_url_lookup.sh
------------------------------------------------------------------------




Let's grab some PCAP files
---------------------------Type This-----------------------------------
cd ~/students/yourname/programming_fundamentals 
mkdir pcaps
cd pcaps
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/APT41/APT41_StoreSyncSvc.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Agent_Tesla/agenttesla_09July2019.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/CVE-2019-9978/CVE-2019-9978_attempt_05May2019.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Powershell/Powershell_script_19Dec2019.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/sharik_smoke/sharik_smoke.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0703.pcap
wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0801.pcap
------------------------------------------------------------------------


Let's read file names into an array
---------------------------Type This-----------------------------------
 
nano parse_pcap_file_names.sh
 
---------------------------Paste This-----------------------------------
#!/bin/bash
# Reference: https://delightlylinux.wordpress.com/2017/04/08/put-filenames-in-bash-array/

#!/bin/bash

declare -a arrPCAPs
for file in *.pcap
do
    arrPCAPs=("${PCAPs[@]}" "$file")
    echo ${arrPCAPs[@]}
done
------------------------------------------------------------------------






Ok, now let's run it
---------------------------Type This-----------------------------------
chmod +x parse_pcap_file_names.sh
./parse_pcap_file_names.sh
------------------------------------------------------------------------















##################
# Day 4 Homework #
##################

Task Option 1: Shell Scripting
------------------------------------
Watch and do all of the exercises in the video https://www.youtube.com/watch?v=hwrnmQumtPw
Create a word document that contains the screenshots of the tasks performed in this video
Name the word document 'YourFirstName-YourLastName-LinuxDay4-ShellScripting.docx' (ex: 'Joseph-McCray-LinuxDay3-ShellScripting.docx')
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow


Task Option 2: Python3
---------------------------------------
Watch and do all of the exercises in the first 7 videos from https://www.youtube.com/playlist?list=PLypxmOPCOkHVzhKRcWzEkQXCnmHezGVeB
Create a word document that contains the screenshots of the tasks performed in these videos
Name the word document 'YourFirstName-YourLastName-LinuxDay4-Python3.docx' (ex: 'Joseph-McCray-LinuxDay3-Python3.docx.docx')
Email the document to me at joe-at-secureninja-dot-com before the start of class tomorrow




                               ####################
############################## # Day 5: Challenge # ##############################
                               ####################










































###################
# Memory Analysis #
###################
---------------------------Type This-----------------------------------
cd  ~/Desktop/
 
sudo apt-get install -y foremost tcpxtract
 
wget https://infosecaddicts-files.s3.amazonaws.com/hn_forensics.vmem
 
git clone https://github.com/volatilityfoundation/volatility.git
 
cd volatility
sudo pip install distorm3
sudo python setup.py install
python vol.py -h
python vol.py pslist -f ~/Desktop/hn_forensics.vmem
python vol.py connscan -f ~/Desktop/hn_forensics.vmem
mkdir dump/
mkdir -p output/pdf/
python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/
                ***Takes a few min***
strings 1752.dmp | grep "^http://" | sort | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
cd ~/Desktop/volatility/output/pdf/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf
 
 
 
cd ~/Desktop/volatility/output/pdf/
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw pdf/00601560.pdf
python pdf-parser.py --object 11 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
 
cat malicious.js
 -----------------------------------------------------------------------
 
 
 
 
*****Sorry - no time to cover javascript de-obfuscation today*****
 
 
 
 
---------------------------Type This-----------------------------------
cd ~/Desktop/volatility
mkdir files2/
python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
python vol.py hivescan -f ~/Desktop/hn_forensics.vmem                                  
python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon 
-----------------------------------------------------------------------
 
 
                            ######################
----------- ############### # Intro to Reversing # ############### -----------
                            ######################
Lab walk-through documents are in the zip file along with the executables that need to be reversed:
https://infosecaddicts-files.s3.amazonaws.com/Lena151.zip





##############################
# Linux For InfoSec Homework #
##############################
In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.


Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)




##############################
# Linux For InfoSe Challenge #
##############################

In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/eduSfPy3).

Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)




IMPORTANT NOTE:
Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST.


#########################################################################
# What kind of Linux am I on and how can I find out? 			        #
# Great reference: 							                            #
# https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 	#
#########################################################################
- What’s the distribution type? What version?
-------------------------------------------
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release      		# Debian based
cat /etc/redhat-release   		# Redhat based



- What’s the kernel version? Is it 64-bit?
-------------------------------------------
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-



- What can be learnt from the environmental variables?
----------------------------------------------------
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set


- What services are running? Which service has which user privilege?
------------------------------------------------------------------
ps aux
ps -ef
top
cat /etc/services


- Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
---------------------------------------------------------------------------------------------------------------
ps aux | grep root
ps -ef | grep root



- What applications are installed? What version are they? Are they currently running?
------------------------------------------------------------------------------------
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/


- Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
------------------------------------------------------------------------------------
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'



- What jobs are scheduled?
------------------------
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root


- Any plain text usernames and/or passwords?
------------------------------------------
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   		# Search for Joomla passwords


- What NIC(s) does the system have? Is it connected to another network?
---------------------------------------------------------------------
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network


- What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
------------------------------------------------------------------------------------------------------------------------
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

- What other users & hosts are communicating with the system?
-----------------------------------------------------------
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w



- Whats cached? IP and/or MAC addresses
-------------------------------------
arp -e
route
/sbin/route -nee


- Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
------------------------------------------------------------------------------------------
id
who
w
last
cat /etc/passwd | cut -d: -f1    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l



- What sensitive files can be found?
----------------------------------
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/



- Anything “interesting” in the home directorie(s)? If it’s possible to access
----------------------------------------------------------------------------
ls -ahlR /root/
ls -ahlR /home/


- Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
---------------------------------------------------------------------------------------------------------------------------
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg


- What has the user being doing? Is there any password in plain text? What have they been edting?
-----------------------------------------------------------------------------------------------
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history



- What user information can be found?
-----------------------------------
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root


- Can private-key information be found?
-------------------------------------
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key


- Any settings/files (hidden) on website? Any settings file with database information?
------------------------------------------------------------------------------------
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/


- Is there anything in the log file(s) (Could help with “Local File Includes”!)
-----------------------------------------------------------------------------
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

- Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp





########################################################################################################################################





####################################
# Day 2: Building a Perfect Server #
####################################
-------------------------------------------
Task 1: Log in to your respective Linux server
PMRF1 (Hugo/Ross)
45.76.61.100
pmrf	aegisashore

PMRF2 (steve/jeff)
155.138.213.248
pmrf	aegisashore


PMRF3 (elaine)
155.138.198.202
pmrf	aegisashore



Task 2: Build the Perfect Server
https://www.howtoforge.com/tutorial/perfect-server-centos-7-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig/ 

Important notes:
Steps to skip 
skip all of step 1
skip all of step 2
skip all of step 3
skip all of step 5

Important notes:
step 11 amavisd may not work. If it doesn't work just keep moving forward
---------------------------------------------

Public Pastes

⭐ Binance Account hack 3B
JavaScript | 11 sec ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 7 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 8 min ago | 0.17 KB
⭐ get any gift card for AF
JavaScript | 16 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 17 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 24 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 25 min ago | 0.17 KB
⭐ FREE giftcards method ON
JavaScript | 33 min ago | 0.17 KB