- Here is a good set of slides for getting started with Linux:

http://www.slideshare.net/olafusimichael/linux-training-24086319

- I prefer to use Putty to SSH into my Linux host.

- You can download Putty from here:

Here is the information to put into putty

########################

# Basic Linux Commands #

########################

---------------------------Type This-----------------------------------

cd ~

which pwd

/bin/pwd

mkdir yourname					<---- replace 'yourname' with your first name in lowercase with no spaces or special characters please

cd yourname						<---- replace 'yourname' with your first name in lowercase with no spaces or special characters please

touch one two three

ls -l t							(without pressing the Enter key, press the Tab key twice. What happens?)

h								(and again without pressing the Enter key, press the Tab key twice. What happens?)

Press the 'Up arrow key'		(What happens?)

Press 'Ctrl-A'					(What happens?)

ls

clear							(What happens?)

echo one > one

cat one							(What happens?)

man cat							(What happens?)

	q

cat two

cat one > two

cat two

cat one two > three

cat three

echo four >> three

cat three 						(What happens?)

wc -l three

man wc

	q

cat three | grep four

cat three | grep one

man grep

	q

man ps

	q

ps

ps aux

ps aux | less

Press the 'Up arrow key'		(What happens?)

Press the 'Down arrow key'		(What happens?)

	q

top

    q

-----------------------------------------------------------------------

#########

# Files #

#########

---------------------------Type This-----------------------------------

cd ~

pwd

cd ~/yourname/

pwd

cd LinuxBasics

pwd

ls

mkdir files

cp one files/

ls files/

cd files/

cp ../two .

ls

cp ../three .

ls

tar cvf files.tar *

ls

gzip files.tar

ls

rm -rf one two three

ls

tar -zxvf files.tar.gz

rm -rf files.tar.gz

zip data *

unzip -l data.zip

mkdir /tmp/yourname/

unzip data.zip -d /tmp/yourname/

-----------------------------------------------------------------------

############

# VIM Demo #

############

---------------------------Type This-----------------------------------

cd ~/yourname/LinuxBasics

mkdir vimlesson

cd vimlesson

vi lesson1.sh

i								(press "i" to get into INSERT mode and then paste in the lines below)

#!/bin/bash

echo "This is my first time using vi to create a shell script"

echo " "

echo " "

sleep 5

echo "Ok, now let's clear the screen"

sleep 3

clear

---------------don't put this line in your script----------------------------

ESC			(press the ESC key to get you out of INSERT mode)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

/echo		(typing "/echo" immediately after SHIFT: will search the file for the word echo).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

dd		(typing "dd" will delete the line that you are on)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

dd		(typing "dd" will delete the line that you are on)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

syntax on		(typing "syntax on" immediately after SHIFT: will turn on syntax highlighting

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set tabstop=5	(typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

vi .vimrc

i			(press "i" to get into INSERT mode and then paste in the lines below)

set number

syntax on

set tabstop=5

ESC			(press the ESC key to get you out of INSERT mode)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

echo $MYVIMRC	(typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).

-----------------------------------------------------------------------

###############

# Permissions #

###############

---------------------------Type This-----------------------------------

cd ~/yourname/LinuxBasics

ls -l one

-----------------------------------------------------------------------

We can determine a lot from examining the results of this command. The file "one" is owned by user "me". 

Now "me" has the right to read and write this file. 

The file is owned by the group "me". Members of the group "me" can also read and write this file. 

Everybody else can read this file

---------------------------Type This-----------------------------------

ls -l /bin/bash

-----------------------------------------------------------------------

Here we can see:

The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file. 

The file is owned by the group "root". Members of the group "root" can also read and execute this file.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Everybody else can read and execute this file

The next command you need to know is "chmod"

rwx rwx rwx = 111 111 111

rw- rw- rw- = 110 110 110

rwx --- --- = 111 000 000

and so on...

rwx = 111 in binary = 7

rw- = 110 in binary = 6

r-x = 101 in binary = 5

r-- = 100 in binary = 4

---------------------------Type This-----------------------------------

ls -l one

chmod 600 one

ls -l one

sudo useradd yourname

	aegisweaponssystem

sudo passwd yourname

     P@$$w0rd321

     P@$$w0rd321

sudo chown testuser one

	aegisweaponssystem

ls -l one

sudo chgrp testuser one

	aegisweaponssystem

ls -l one

id

su testuser

     P@$$w0rd321

-----------------------------------------------------------------------

Value	Meaning

700 (rwx------) 	The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.

666 (rw-rw-rw-) 	All users may read and write the file.

644 (rw-r--r--) 	The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.

600 (rw-------) 	The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.

Directory permissions

---------------------

The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:

777 (rwxrwxrwx) 	No restrictions on permissions. 

Anybody may list files, create new files in the directory and delete files in the directory. 

Generally not a good setting.

755 (rwxr-xr-x) 	The directory owner has full access. 

This setting is common for directories that you wish to share with other users.

700 (rwx------) 	The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.

######################

######################

---------------------------Type This-----------------------------------

top

	q

htop

	q

ps aux

ps -A

ps axjf

pstree

pgrep bash

pgrep init

ps aux | grep apache

-----------------------------------------------------------------------

You can list all of the signals that are possible to send with kill by typing:

---------------------------Type This-----------------------------------

kill -l

sudo kill -HUP pid_of_apache

The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:

pkill -9 ping

The above command is the equivalent of:

kill -9 `pgrep ping`

-----------------------------------------------------------------------

################

# Hashing Demo #

################

---------------------------Type This-----------------------------------

cd ~/yourname/LinuxBasics

mkdir hashdemo

cd hashdemo

echo test > test.txt

cat test.txt

md5sum test.txt

echo hello >> test.txt

cat test.txt

md5sum test.txt

echo test2 > test2.txt

cat test2.txt

echo hello >> test2.txt

cat test2.txt

sha256sum test2.txt

cd ..

-----------------------------------------------------------------------

#################################

# Symmetric Key Encryption Demo #

#################################

---------------------------Type This-----------------------------------

cd ~/yourname/LinuxBasics

mkdir gpgdemo

echo test > test.txt

cat test.txt

gpg -c test.txt

	password

	password

ls | grep test

cat test.txt

cat test.txt.gpg

rm -rf test.txt

ls | grep test

gpg -o output.txt test.txt.gpg

	password

cat output.txt

-----------------------------------------------------------------------

#########################################################################################################################

# Asymmetric Key Encryption Demo 											                                            #

# Configure random number generator 											                                        #

#########################################################################################################################

---------------------------Type This-----------------------------------

cd ~/yourname/LinuxBasics/gpgdemo

echo hello > file1.txt

echo goodbye > file2.txt

echo green > file3.txt

echo blue > file4.txt

tar czf files.tar.gz *.txt

gpg --gen-key

	1

	1024

	0

	y

	John Doe

	john@doe.com

	--blank comment--

	O

		password

		password	

gpg --armor --output file-enc-pubkey.txt --export 'John Doe'

cat file-enc-pubkey.txt

gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'

cat file-enc-privkey.asc

gpg --encrypt --recipient 'John Doe' files.tar.gz

rm -rf files.tar.gz *.txt

ls

tar -zxvf files.tar.gz.gpg

gpg --output output.tar.gz --decrypt files.tar.gz.gpg

	password

tar -zxvf output.tar.gz

ls

-----------------------------------------------------------------------

##############################################

##############################################

cat –  prints the content of a file in the terminal window

sed –  performs find and replace functions

uniq – compares adjacent lines and can report, filter or provide a count of duplicates

##############

##############

---------------------------Type This----------------------------------- 

wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log

-----------------------------------------------------------------------

AWK Basics

- To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.

cat cisco.log | awk '{print $5}' | tail -n 4

---------------------------Type This----------------------------------- 

----------------------------------------------------------------------- 

- While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.

---------------------------Type This----------------------------------- 

cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn

----------------------------------------------------------------------- 

- Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.

---------------------------Type This----------------------------------- 

cat cisco.log | grep %LINEPROTO-5-UPDOWN:

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn

-----------------------------------------------------------------------

################

# The Scenario #

################

You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).

The fastest thing you can do is perform static analysis. 

###################

# Static Analysis #

###################

- After logging please open a terminal window and type the following commands:

---------------------------Type This-----------------------------------

cd Desktop/

-----------------------------------------------------------------------

- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

---------------------------Type This-----------------------------------

cd ~/Desktop/

wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate

wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate

unzip malware-password-is-infected.zip

    infected

file malware.exe

mv malware.exe malware.pdf

file malware.pdf

mv malware.pdf malware.exe

hexdump -n 2 -C malware.exe

-----------------------------------------------------------------------

***What is '4d 5a' or 'MZ'***

Reference:

http://www.garykessler.net/library/file_sigs.html

---------------------------Type This-----------------------------------

objdump -x malware.exe

strings malware.exe

strings --all malware.exe | head -n 6

strings malware.exe | grep -i dll

strings malware.exe | grep -i library

strings malware.exe | grep -i reg

strings malware.exe | grep -i hkey

strings malware.exe | grep -i hku

-----------------------------------------------------------------------

                            - We didn't see anything like HKLM, HKCU or other registry type stuff

---------------------------Type This-----------------------------------

strings malware.exe | grep -i irc

strings malware.exe | grep -i join         

strings malware.exe | grep -i admin

strings malware.exe | grep -i list

-----------------------------------------------------------------------

                            - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

---------------------------Type This-----------------------------------

sudo apt-get install -y python-pefile

     malware

vi analyse_malware.py

python analyse_malware.py malware.exe

-----------------------------------------------------------------------

################################

# Good references for WannaCry #

################################

References:

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/

https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html

- After logging please open a terminal window and type the following commands:

---------------------------Type This-----------------------------------

cd Desktop/

wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip

unzip wannacry.zip

     infected

file wannacry.exe

mv wannacry.exe malware.pdf

file malware.pdf

mv malware.pdf wannacry.exe

hexdump -n 2 -C wannacry.exe

-----------------------------------------------------------------------

***What is '4d 5a' or 'MZ'***

Reference:

http://www.garykessler.net/library/file_sigs.html

---------------------------Type This-----------------------------------

objdump -x wannacry.exe

strings wannacry.exe

strings --all wannacry.exe | head -n 6

strings wannacry.exe | grep -i dll

strings wannacry.exe | grep -i library

strings wannacry.exe | grep -i reg

strings wannacry.exe | grep -i key

strings wannacry.exe | grep -i rsa

strings wannacry.exe | grep -i open

strings wannacry.exe | grep -i get

strings wannacry.exe | grep -i mutex

strings wannacry.exe | grep -i irc

strings wannacry.exe | grep -i join        

strings wannacry.exe | grep -i admin

strings wannacry.exe | grep -i list

-----------------------------------------------------------------------

Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"

Quick Google search for "wannacry ransomeware analysis"

Reference

https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/

- Yara Rule -

Strings:

$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase

Ok, let's look for the individual strings

---------------------------Type This-----------------------------------

strings wannacry.exe | grep -i ooops

strings wannacry.exe | grep -i wanna

strings wannacry.exe | grep -i wcry

strings wannacry.exe | grep -i wannacry

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....

 -----------------------------------------------------------------------

####################################

# Tired of GREP - let's try Python #

####################################

Decided to make my own script for this kind of stuff in the future. I

Reference1:

https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py

This is a really good script for the basics of static analysis

Reference:

https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html

This is really good for showing some good signatures to add to the Python script

Here is my own script using the signatures (started this yesterday, but still needs work):

https://pastebin.com/guxzCBmP

---------------------------Type This-----------------------------------

sudo apt install -y python-pefile

     infosecaddicts

wget https://pastebin.com/raw/guxzCBmP

mv guxzCBmP am.py

vi am.py

python am.py wannacry.exe

-----------------------------------------------------------------------

Building a Malware Scanner

--------------------------

---------------------------Type This-----------------------------------

mkdir ~/Desktop/malwarescanner

cd ~/Desktop/malwarescanner

wget https://github.com/jonahbaron/malwarescanner/archive/master.zip

unzip master.zip

cd malwarescanner-master/

python scanner.py -h

cat strings.txt

cat hashes.txt

mkdir ~/Desktop/malcode

cp ~/Desktop/malware.exe ~/Desktop/malcode

python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt

cd ~/Desktop/

 -----------------------------------------------------------------------

#####################################################

# Analyzing Macro Embedded Malware                  #

# Reference:                                        #

# https://jon.glass/analyzes-dridex-malware-p1/     #

#####################################################

---------------------------Type This-----------------------------------

cd ~/Desktop/

sudo pip install olefile

mkdir ~/Desktop/oledump

cd ~/Desktop/oledump

wget http://didierstevens.com/files/software/oledump_V0_0_22.zip

unzip oledump_V0_0_22.zip

wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip

unzip 064016.zip

     infected

python oledump.py 064016.doc

python oledump.py 064016.doc -s A4 -v

-----------------------------------------------------------------------

- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.

- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.

---------------------------Type This-----------------------------------

python oledump.py 064016.doc -s A5 -v

-----------------------------------------------------------------------

- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.

---------------------------Type This-----------------------------------

python oledump.py 064016.doc -s A3 -v

- Look for "GVhkjbjv" and you should see:

636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B

- Take that long blob that starts with 636D and finishes with 653B and paste it in:

http://www.rapidtables.com/convert/number/hex-to-ascii.htm

##############

# Yara Ninja #

##############

---------------------------Type This-----------------------------------

sudo apt-get remove -y yara

wget https://github.com/plusvic/yara/archive/v3.4.0.zip

sudo apt-get -y install libtool

unzip v3.4.0.zip

cd yara-3.4.0

./bootstrap.sh

./configure

make

sudo make install

yara -v

cd ..

wget https://github.com/Yara-Rules/rules/archive/master.zip

unzip master.zip

cd ~/Desktop

yara rules-master/packer.yar malcode/malware.exe

 -----------------------------------------------------------------------

Places to get more Yara rules:

------------------------------

https://malwareconfig.com/static/yaraRules/

https://github.com/kevthehermit/YaraRules

https://github.com/VectraThreatLab/reyara

Yara rule sorting script:

-------------------------

https://github.com/mkayoh/yarasorter

---------------------------Type This-----------------------------------

cd ~/Desktop/rules-master

for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar

cd ~/Desktop/

yara rules-master/master.yar malcode/malware.exe

 -----------------------------------------------------------------------

Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:

http://derekmorton.name/files/malware_12-14-12.sql.bz2

Malware Repositories:

http://malshare.com/index.php

http://www.malwareblacklist.com/

http://www.virusign.com/

http://virusshare.com/

http://www.tekdefense.com/downloads/malware-samples/

###############################

# Creating a Malware Database #

###############################

Creating a malware database (sqlite)

---------------------------Type This-----------------------------------

sudo apt-get install -y python-simplejson python-simplejson-dbg

wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py

wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip

unzip malware-password-is-infected.zip

    infected

python avsubmit.py --init

python avsubmit.py -f malware.exe -e

 -----------------------------------------------------------------------

Creating a malware database (mysql)

-----------------------------------

- Step 1: Installing MySQL database

- Run the following command in the terminal:

---------------------------Type This-----------------------------------

sudo apt-get install mysql-server

- Step 2: Installing Python MySQLdb module

- Run the following command in the terminal:

---------------------------Type This-----------------------------------

sudo apt-get build-dep python-mysqldb

sudo apt-get install python-mysqldb

 -----------------------------------------------------------------------

Step 3: Logging in

Run the following command in the terminal:

---------------------------Type This-----------------------------------

mysql -u root -p                    (set a password of 'malware')

- Then create one database by running following command:

---------------------------Type This-----------------------------------

create database malware;

exit;

wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py                     (fill in database connection information)

python mal_to_db.py -i

 -----------------------------------------------------------------------

------- check it to see if the files table was created ------

mysql -u root -p

    malware

show databases;

use malware;

show tables;

describe files;

exit;

---------------------------------

- Now add the malicious file to the DB

---------------------------Type This-----------------------------------

python mal_to_db.py -f malware.exe -u

 -----------------------------------------------------------------------

- Now check to see if it is in the DB

---------------------------Type This-----------------------------------

mysql -u root -p

    malware

mysql> use malware;

select id,md5,sha1,sha256,time FROM files;

mysql> quit;

------------------------------------------------------------------------

#################

# PCAP Analysis #

#################

---------------------------Type This-----------------------------------

cd ~/Desktop/

mkdir suspiciouspcap/

cd suspiciouspcap/

wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap

wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl

perl chaosreader.pl suspicious-time.pcap

firefox index.html

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr

for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u

------------------------------------------------------------------------

####################

# Intro to TCPDump #

####################

---------------------------Type This-----------------------------------

sudo apt-get install tcpdump

Basic sniffing

--------------

---------------------------Type This-----------------------------------

sudo tcpdump -n

Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy

---------------------------Type This-----------------------------------

sudo tcpdump -v -n

Getting the ethernet header (link layer headers)

------------------------------------------------

In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.

---------------------------Type This-----------------------------------

sudo tcpdump -vv -n -e

------------------------------------------------------------------------

Sniffing a particular interface

-------------------------------

In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.

---------------------------Type This-----------------------------------

sudo tcpdump -D

------------------------------------------------------------------------

Filtering packets using expressions - Selecting protocols

---------------------------------------------------------

---------------------------Type This-----------------------------------

$ sudo tcpdump -n tcp

------------------------------------------------------------------------

Particular host or port

-----------------------

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101

---------------------------Type This-----------------------------------

$ sudo tcpdump -n 'src 192.168.1.101'

------------------------------------------------------------------------

Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.

---------------------------Type This-----------------------------------

$ sudo tcpdump -n 'udp and dst port 53'

------------------------------------------------------------------------

To display the FTP packets coming from 192.168.1.100 to 192.168.1.2

---------------------------Type This-----------------------------------

$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'

------------------------------------------------------------------------

Search the network traffic using grep

Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

---------------------------Type This-----------------------------------

$ sudo tcpdump -n -A | grep -e 'POST'

------------------------------------------------------------------------

So what is the idea behind searching packets. Well one good thing can be to sniff passwords.

Here is quick example to sniff passwords using egrep

---------------------------Type This-----------------------------------

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20

------------------------------------------------------------------------

#########

# NGrep #

#########

Install ngrep on Ubuntu

---------------------------Type This-----------------------------------

$ sudo apt-get install ngrep

------------------------------------------------------------------------

Search network traffic for string "User-Agent: "

---------------------------Type This-----------------------------------

$ sudo ngrep -d eth0 "User-Agent: " tcp and port 80

------------------------------------------------------------------------

In the above command :

a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80

b) The d option specifies the interface to sniff. eth0 in this case.

c) "User-Agent: " is the string to search for. All packets that have that string are displayed.

2. Search network packets for GET or POST requests :

---------------------------Type This-----------------------------------

$ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80

------------------------------------------------------------------------

The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).

3. ngrep without any options would simply capture all packets.

---------------------------Type This-----------------------------------

$ sudo ngrep

------------------------------------------------------------------------

Reference:

https://dl.packetstormsecurity.net/papers/general/ngreptut.txt

---------------------------Type This-----------------------------------

$ sudo ngrep -d eth0 -n 3

$ sudo ngrep -d any port 25

------------------------------------------------------------------------

This will let you monitor all activity crossing source or destination port 25

(SMTP).

---------------------------Type This-----------------------------------

$ sudo ngrep -wi -d wlan0 'user|pass' port 6667

$ sudo ngrep -wi -d any 'user|pass' port 21

------------------------------------------------------------------------

#############################

# PCAP Analysis with tshark #

#############################

---------------------------Type This-----------------------------------

sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs

tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u

tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u

tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq

tshark -r suspicious-time.pcap -Y "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"

whois rapidshare.com.eyu32.ru

whois sploitme.com.cn

tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'

tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'

######################################

# PCAP Analysis with forensicPCAP.py #

######################################

---------------------------Type This-----------------------------------

cd ~/Desktop/suspiciouspcap/

wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py

sudo pip install cmd2==0.7.9

python forensicPCAP.py suspicious-time.pcap

------------------------------------------------------------------------

---------------------------Type This-----------------------------------

ForPCAP >>> help

------------------------------------------------------------------------

Prints stats about PCAP

---------------------------Type This-----------------------------------

ForPCAP >>> stat

------------------------------------------------------------------------

Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

---------------------------Type This-----------------------------------

ForPCAP >>> dns

ForPCAP >>> show

------------------------------------------------------------------------

Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.

---------------------------Type This-----------------------------------

ForPCAP >>> dstports

ForPCAP >>> show

---------------------------Type This-----------------------------------

Prints the number of ip source and store them.

---------------------------Type This-----------------------------------

ForPCAP >>> ipsrc

ForPCAP >>> show

------------------------------------------------------------------------

Prints the number of web's requests and store them

ForPCAP >>> web

ForPCAP >>> show

------------------------------------------------------------------------

Prints the number of mail's requests and store them

---------------------------Type This-----------------------------------

ForPCAP >>> mail

ForPCAP >>> show

------------------------------------------------------------------------

#############################

# Understanding Snort rules #

#############################

Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)

Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)

Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)

Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)

Field 5: Traffic Direction (->)

Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)

Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)

Field 8: MSG - what is actually displayed on the analysts machine

Let's look at 2 simple rules

----------------------------------------------------------------------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \

bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \

content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \

00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \

reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \

attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \

depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \