View difference between Paste ID: <a href="/DfqiGN7u">DfqiGN7u</a> and <a href="/SwgnkAhQ">SwgnkAhQ</a>

##########
1		##########
2		# VMWare #
3		##########
4		- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
5
6		- http://www.vmware.com/ap/products/player.html
7
8
9		- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
10
11
12
13		#########################
14		# Class Virtual Machine #
15		#########################
16
17
18		Here is the VMWare virtual machine for the class:
19
20		https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
21		user: infosecaddicts
22		pass: infosecaddicts
23
24
25	-	#################
25	+
26	-	# PCAP Analysis #
26	+	###################################
27	-	#################
27	+	# Setting up your virtual machine #
28		# Note: run as root user #
29	-	cd ~/Desktop/
29	+	###################################
30
31	-	mkdir suspiciouspcap/
31	+
32		Here is where we will setup all of the required dependencies for the tools we plan to install
33	-	cd suspiciouspcap/
33	+
34		apt update
35		apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq
36		-----------------------------------------------------------------------
37
38
39
40
41		Now we install Suricata
42	-	firefox index.html
42	+
43		wget https://www.openinfosecfoundation.org/download/suricata-4.0.5.tar.gz
44
45		tar -zxvf suricata-4.0.5.tar.gz
46
47		cd suricata-4.0.5
48
49		./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var
50
51		make
52
53		make install
54	-	####################
54	+
55	-	# Intro to TCPDump #
55	+	make install-conf
56	-	####################
56	+
57		cd rules
58	-	sudo apt-get install tcpdump
58	+
59		cp *.rules /etc/suricata/rules/
60
61		cd /etc/suricata/
62	-	Basic sniffing
62	+
63	-	--------------
63	+	wget https://rules.emergingthreats.net/open/suricata-4.0/emerging.rules.tar.gz
64
65	-	sudo tcpdump -n
65	+	tar -zxvf emerging.rules.tar.gz
66		-----------------------------------------------------------------------
67
68	-	Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
68	+
69
70	-	sudo tcpdump -v -n
70	+
71
72		##################################################################
73		# Analyzing a PCAP Prads #
74	-	Getting the ethernet header (link layer headers)
74	+	# Note: run as regular user #
75	-	------------------------------------------------
75	+	##################################################################
76	-	In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
76	+
77		---------------------------Type This-----------------------------------
78	-	sudo tcpdump -vv -n -e
78	+	cd ~
79
80		mkdir pcap_analysis/
81	-	Sniffing a particular interface
81	+
82	-	-------------------------------
82	+	cd ~/pcap_analysis/
83	-	In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
83	+
84		mkdir prads
85	-	sudo tcpdump -D
85	+
86		cd ~/pcap_analysis/prads
87
88	-	Filtering packets using expressions - Selecting protocols
88	+
89	-	---------------------------------------------------------
89	+
90		prads -r suspicious-time.pcap -l prads-asset.log
91	-	$ sudo tcpdump -n tcp
91	+
92		cat prads-asset.log \| less
93
94	-	Particular host or port
94	+	cat prads-asset.log \| grep SYN \| grep -iE 'windows\|linux'
95	-	-----------------------
95	+
96	-	Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
96	+	cat prads-asset.log \| grep CLIENT \| grep -iE 'safari\|firefox\|opera\|chrome'
97
98	-	$ sudo tcpdump -n 'src 192.168.1.101'
98	+	cat prads-asset.log \| grep SERVER \| grep -iE 'apache\|linux\|ubuntu\|nginx\|iis'
99		-----------------------------------------------------------------------
100
101	-	Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
101	+
102
103	-	$ sudo tcpdump -n 'udp and dst port 53'
103	+
104		##################################
105		# PCAP Analysis with ChaosReader #
106	-	To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
106	+	# Note: run as regular user #
107		##################################
108	-	$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
108	+
109		cd ~
110
111	-	Search the network traffic using grep
111	+	mkdir -p pcap_analysis/chaos_reader/
112
113	-	Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
113	+	cd ~/pcap_analysis/chaos_reader/
114
115	-	$ sudo tcpdump -n -A \| grep -e 'POST'
115	+
116
117		wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
118	-	So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
118	+
119	-	Here is quick example to sniff passwords using egrep
119	+
120
121		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
122	-	tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A \| egrep -i 'pass=\|pwd=\|log=\|login=\|user=\|username=\|pw=\|passw=\|passwd=\|password=\|pass:\|user:\|username:\|password:\|login:\|pass \|user ' --color=auto --line-buffered -B20
122	+
123		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
124
125
126		for i in session_00[0-9]*.http.html; do srcip=`cat "$i" \| grep 'http:\ ' \| awk '{print $2}' \| cut -d ':' -f1`; dstip=`cat "$i" \| grep 'http:\ ' \| awk '{print $4}' \| cut -d ':' -f1`; host=`cat "$i" \| grep 'Host:\ ' \| sort -u \| sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done \| sort -u
127	-	#########
127	+
128	-	# NGrep #
128	+	python -m SimpleHTTPServer
129	-	#########
129	+	**** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page ***
130
131	-	Install ngrep on Ubuntu
131	+
132
133	-	$ sudo apt-get install ngrep
133	+
134
135
136	-	Search network traffic for string "User-Agent: "
136	+
137
138	-	$ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
138	+
139
140	-	In the above command :
140	+
141	-	a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
141	+
142	-	b) The d option specifies the interface to sniff. eth0 in this case.
142	+	# Note: run as regular user #
143	-	c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
143	+
144		---------------------------Type This-----------------------------------
145	-	2. Search network packets for GET or POST requests :
145	+	cd ~/pcap_analysis/
146
147	-	$ sudo ngrep -l -q -d eth0 "^GET \|^POST " tcp and port 80
147	+	mkdir tshark
148
149	-	The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
149	+	cd ~/pcap_analysis/tshark
150
151	-	3. ngrep without any options would simply capture all packets.
151	+
152
153	-	$ sudo ngrep
153	+	tshark -i ens3 -r suspicious-time.pcap -qz io,phs
154
155		tshark -r suspicious-time.pcap -qz ip_hosts,tree
156	-	Reference:
156	+
157	-	https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
157	+	tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" \| uniq
158
159	-	$ sudo ngrep -d eth0 -n 3
159	+	tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
160
161	-	$ sudo ngrep -d any port 25
161	+
162		tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
163
164	-	This will let you monitor all activity crossing source or destination port 25
164	+
165	-	(SMTP).
165	+
166		whois sploitme.com.cn
167	-	$ sudo ngrep -wi -d wlan0 'user\|pass' port 6667
167	+
168		tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
169	-	$ sudo ngrep -wi -d any 'user\|pass' port 21
169	+
170		tshark -r suspicious-time.pcap -qz http_req,tree
171
172		tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
173
174		tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' \| grep 10.0.3.15 \| sed -e 's/\?[^cse].*/\?\.\.\./g'
175		------------------------------------------------------------------------
176
177
178
179
180	-	sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
180	+
181
182
183	-	tshark -r suspicious-time.pcap \| grep 'NB.20\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
183	+	###############################
184		# PCAP Analysis with Suricata #
185		# Note: run as root #
186	-	tshark -r suspicious-time.pcap \| grep 'NB.1e\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
186	+	###############################
187		---------------------------Type This-----------------------------------
188		cd /home/joe/pcap_analysis/
189	-	tshark -r suspicious-time.pcap arp \| grep has \| awk '{print $3," -> ",$9}' \| tr -d '?'
189	+
190		mkdir suricata
191
192	-	tshark -r suspicious-time.pcap -Tfields -e "eth.src" \| sort \| uniq
192	+	cd suricata/
193
194		wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
195	-	tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" \| uniq
195	+
196		mkdir suri
197	-	tshark -r suspicious-time.pcap -Tfields -e "eth.src" \| sort \|uniq
197	+
198		suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
199
200		cd suri/
201	-	tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" \| uniq
201	+
202		cat stats.log \| less
203	-	tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
203	+
204		cat eve.json \|grep -E "e\":\"http"\|jq ".timestamp,.http"\|csplit - /..T..:/ {*}
205
206		cat xx01
207
208		cat xx02
209
210		cat xx03
211	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
211	+
212		cat xx04
213	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
213	+
214		cat xx05
215
216		cat xx06
217	-	tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
217	+	------------------------------------------------------------------------
218
219	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' \| grep 10.0.3.15 \| sed -e 's/\?[^cse].*/\?\.\.\./g'
219	+
220		#############################
221		# PCAP Analysis with Yara #
222		# Note: run as regular user #
223	-	######################################
223	+
224	-	# PCAP Analysis with forensicPCAP.py #
224	+
225	-	######################################
225	+	cd ~/pcap_analysis/
226
227	-	cd ~/Desktop/suspiciouspcap/
227	+	git clone https://github.com/kevthehermit/YaraPcap.git
228		cd YaraPcap/
229	-	wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
229	+
230		wget https://github.com/Yara-Rules/rules/archive/master.zip
231	-	sudo pip install cmd2==0.7.9
231	+	unzip master.zip
232		cd rules-master/
233		ls
234	-	python forensicPCAP.py suspicious-time.pcap
234	+	cat index.yar
235		clear
236		./index_gen.sh
237		cd ..
238		mkdir matching_files/
239	-	ForPCAP >>> help
239	+	python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
240		whereis tcpflow
241		vi yaraPcap.py ** fix line 35 with correct path to tcpflow **:q!
242	-	Prints stats about PCAP
242	+	python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
243		cd matching_files/
244	-	ForPCAP >>> stat
244	+	ls
245		cat report.txt
246		------------------------------------------------------------------------
247	-	Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
247	+
248
249	-	ForPCAP >>> dns
249	+
250		#######################################################################################################
251	-	ForPCAP >>> show
251	+	# Analyzing C&C with Bro IDS and RITA #
252		# Run the following commands as root #
253		# References: #
254	-	Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
254	+	# https://www.vultr.com/docs/installing-bro-ids-on-ubuntu-16-04 #
255		# https://www.blackhillsinfosec.com/how-to-hunt-command-and-control-channels-using-bro-ids-and-rita/ #
256	-	ForPCAP >>> dstports
256	+	#######################################################################################################
257
258	-	ForPCAP >>> show
258	+	sh -c "echo 'deb http://download.opensuse.org/repositories/network:/bro/xUbuntu_16.04/ /' > /etc/apt/sources.list.d/bro.list"
259		wget -nv http://download.opensuse.org/repositories/network:bro/xUbuntu_16.04/Release.key -O Release.key
260		apt-key add - < Release.key
261	-	Prints the number of ip source and store them.
261	+	apt-get update
262		apt-get install -y cmake make gcc g++ flex bison libpcap-dev libssl-dev python-dev swig zlib1g-dev sendmail sendmail-bin
263	-	ForPCAP >>> ipsrc
263	+
264
265	-	ForPCAP >>> show
265	+
266		mkdir -p /root/Bro-IDS/
267		cd /root/Bro-IDS/
268	-	Prints the number of web's requests and store them
268	+	wget https://www.bro.org/downloads/bro-2.5.2.tar.gz
269	-	ForPCAP >>> web
269	+	tar -xvzf bro-2.5.2.tar.gz
270		cd bro-2.5.2
271	-	ForPCAP >>> show
271	+	./configure --prefix=/root/Bro-IDS
272		make
273		make install
274		export PATH=/root/Bro-IDS/bin:$PATH
275	-	Prints the number of mail's requests and store them
275	+
276
277	-	ForPCAP >>> mail
277	+
278		vi /root/Bro-IDS/etc/node.cfg
279	-	ForPCAP >>> show
279	+	/root/Bro-IDS/bin/broctl
280		install
281		exit
282		/root/Bro-IDS/bin/broctl deploy
283
284
285
286
287	-	# Understanding Snort rules #
287	+	mkdir b_analysis/
288		cd b_analysis/
289	-	Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
289	+	bro -C -r suspicious-time.pcap local "Site::local_nets += { 10.0.0.0/8 }"
290		ls -S dns.log
291	-	Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
291	+	cat conn.log \| bro-cut uid id.orig_h id.resp_h duration \| sort -nr -k4 \| head -n 5
292
293	-	Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
293	+
294
295	-	Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
295	+
296
297	-	Field 5: Traffic Direction (->)
297	+
298
299	-	Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
299	+
300		git clone https://github.com/ocmdev/rita.git
301	-	Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
301	+
302		cd rita/
303	-	Field 8: MSG - what is actually displayed on the analysts machine
303	+
304		chmod +x install.sh
305
306	-	Let's look at 2 simple rules
306	+	./install.sh
307	-	----------------------------------------------------------------------------------
307	+
308	-	alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
308	+	source ~/.bashrc
309	-	bind attempt”; flow:to_server,established; content:”\|05\|”; distance:0; within:1; \
309	+
310	-	content:”\|0b\|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”\|A0 01 00 \
310	+	systemctl start mongod
311	-	00 00 00 00 00 C0 00 00 00 00 00 00 46\|”; distance:29; within:16; \
311	+
312	-	reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
312	+	rita import -i /root/btest/ -d suspicious-time
313
314	-	alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
314	+	rita analyze
315	-	attempt”; flow:to_server,established; content:”\|FF\|SMB\|25\|”; nocase; offset:4; \
315	+
316	-	depth:5; content:”\|26 00\|”; distance:56; within:2; content:”\|5c \
316	+	cd suspicious-time
317	-	00\|P\|00\|I\|00\|P\|00\|E\|00 5c 00\|”; nocase; distance:5; within:12; content:”\|05\|”; \
317	+
318	-	distance:0; within:1; content:”\|0b\|”; distance:1; within:1; \
318	+	python -m SimpleHTTPServer