Advertisement
joemccray

Ultimate Defensive Cyber

Mar 26th, 2018
1,125
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ############################
  2. # Download the Analysis VM #
  3. ############################
  4. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
  5. user: infosecaddicts
  6. pass: infosecaddicts
  7.  
  8.  
  9.  
  10.  
  11.  
  12. ###################################
  13. # Day 1: Intro to Static Analysis #
  14. ###################################
  15.  
  16. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
  17.  
  18.  
  19. - After logging please open a terminal window and type the following commands:
  20. ---------------------------Type This-----------------------------------
  21. sudo apt-get install -y python-pefile vim
  22. infosecaddicts
  23.  
  24.  
  25. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip --no-check-certificate
  26. wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
  27.  
  28. unzip wannacry.zip
  29. infected
  30.  
  31. file wannacry.exe
  32.  
  33. mv wannacry.exe malware.pdf
  34.  
  35. file malware.pdf
  36.  
  37. mv malware.pdf wannacry.exe
  38.  
  39. hexdump -n 2 -C wannacry.exe
  40. -----------------------------------------------------------------------
  41.  
  42.  
  43.  
  44. ***What is '4d 5a' or 'MZ'***
  45. Reference:
  46. http://www.garykessler.net/library/file_sigs.html
  47.  
  48.  
  49.  
  50.  
  51. ---------------------------Type This-----------------------------------
  52. objdump -x wannacry.exe
  53.  
  54. strings wannacry.exe
  55.  
  56. strings --all wannacry.exe | head -n 6
  57.  
  58. strings wannacry.exe | grep -i dll
  59.  
  60. strings wannacry.exe | grep -i library
  61.  
  62. strings wannacry.exe | grep -i reg
  63.  
  64. strings wannacry.exe | grep -i key
  65.  
  66. strings wannacry.exe | grep -i rsa
  67.  
  68. strings wannacry.exe | grep -i open
  69.  
  70. strings wannacry.exe | grep -i get
  71.  
  72. strings wannacry.exe | grep -i mutex
  73.  
  74. strings wannacry.exe | grep -i irc
  75.  
  76. strings wannacry.exe | grep -i join
  77.  
  78. strings wannacry.exe | grep -i admin
  79.  
  80. strings wannacry.exe | grep -i list
  81. -----------------------------------------------------------------------
  82.  
  83.  
  84. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  85.  
  86. Quick Google search for "wannacry ransomeware analysis"
  87.  
  88.  
  89. Reference
  90. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  91.  
  92. - Yara Rule -
  93.  
  94.  
  95. Strings:
  96. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  97. $s2 = “Wanna Decryptor” wide ascii nocase
  98. $s3 = “.wcry” wide ascii nocase
  99. $s4 = “WANNACRY” wide ascii nocase
  100. $s5 = “WANACRY!” wide ascii nocase
  101. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  102.  
  103.  
  104.  
  105. Ok, let's look for the individual strings
  106.  
  107.  
  108. ---------------------------Type This-----------------------------------
  109. strings wannacry.exe | grep -i ooops
  110.  
  111. strings wannacry.exe | grep -i wanna
  112.  
  113. strings wannacry.exe | grep -i wcry
  114.  
  115. strings wannacry.exe | grep -i wannacry
  116.  
  117. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  118. -----------------------------------------------------------------------
  119.  
  120.  
  121.  
  122.  
  123.  
  124.  
  125. ####################################
  126. # Tired of GREP - let's try Python #
  127. ####################################
  128. Decided to make my own script for this kind of stuff in the future. I
  129.  
  130. Reference1:
  131. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  132.  
  133. This is a really good script for the basics of static analysis
  134.  
  135. Reference:
  136. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  137.  
  138.  
  139. This is really good for showing some good signatures to add to the Python script
  140.  
  141.  
  142. Here is my own script using the signatures (started this yesterday, but still needs work):
  143. https://pastebin.com/guxzCBmP
  144.  
  145.  
  146.  
  147. ---------------------------Type This-----------------------------------
  148. wget https://pastebin.com/raw/guxzCBmP
  149.  
  150.  
  151. mv guxzCBmP am.py
  152.  
  153.  
  154. nano am.py
  155.  
  156. python am.py wannacry.exe
  157. -----------------------------------------------------------------------
  158.  
  159.  
  160. ################################
  161. # Good references for WannaCry #
  162. ################################
  163.  
  164. References:
  165.  
  166. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  167. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  168. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  169.  
  170.  
  171.  
  172.  
  173.  
  174.  
  175. Building a Malware Scanner
  176. --------------------------
  177.  
  178. ---------------------------Type This-----------------------------------
  179. mkdir ~/Desktop/malwarescanner
  180.  
  181. cd ~/Desktop/malwarescanner
  182.  
  183. wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
  184.  
  185. unzip master.zip
  186.  
  187. cd malwarescanner-master/
  188.  
  189. python scanner.py -h
  190.  
  191. cat strings.txt
  192.  
  193. cat hashes.txt
  194.  
  195. mkdir ~/Desktop/malcode
  196.  
  197. cp ~/Desktop/malware.exe ~/Desktop/malcode
  198.  
  199. python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt
  200.  
  201. cd ~/Desktop/
  202. -----------------------------------------------------------------------
  203.  
  204.  
  205. #####################################################
  206. # Analyzing Macro Embedded Malware #
  207. # Reference: #
  208. # https://jon.glass/analyzes-dridex-malware-p1/ #
  209. #####################################################
  210. ---------------------------Type This-----------------------------------
  211. cd ~/Desktop/
  212.  
  213.  
  214. sudo pip install olefile
  215.  
  216.  
  217. mkdir ~/Desktop/oledump
  218.  
  219. cd ~/Desktop/oledump
  220.  
  221. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  222.  
  223. unzip oledump_V0_0_22.zip
  224.  
  225. wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
  226.  
  227. unzip 064016.zip
  228. infected
  229.  
  230. python oledump.py 064016.doc
  231.  
  232. python oledump.py 064016.doc -s A4 -v
  233. -----------------------------------------------------------------------
  234.  
  235.  
  236.  
  237. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  238. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  239.  
  240. ---------------------------Type This-----------------------------------
  241. python oledump.py 064016.doc -s A5 -v
  242. -----------------------------------------------------------------------
  243.  
  244. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  245.  
  246. ---------------------------Type This-----------------------------------
  247. python oledump.py 064016.doc -s A3 -v
  248. -----------------------------------------------------------------------
  249.  
  250.  
  251. - Look for "GVhkjbjv" and you should see:
  252.  
  253. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  254.  
  255. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  256. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  257.  
  258.  
  259.  
  260.  
  261. ##############
  262. # Yara Ninja #
  263. ##############
  264. ---------------------------Type This-----------------------------------
  265. sudo apt-get remove -y yara
  266.  
  267.  
  268. wget https://github.com/plusvic/yara/archive/v3.4.0.zip
  269.  
  270. sudo apt-get -y install libtool
  271.  
  272.  
  273. unzip v3.4.0.zip
  274.  
  275. cd yara-3.4.0
  276.  
  277. ./bootstrap.sh
  278.  
  279. ./configure
  280.  
  281. make
  282.  
  283. sudo make install
  284.  
  285.  
  286. yara -v
  287.  
  288. cd ..
  289.  
  290. wget https://github.com/Yara-Rules/rules/archive/master.zip
  291.  
  292. unzip master.zip
  293.  
  294. cd ~/Desktop
  295.  
  296. yara rules-master/packer.yar malcode/malware.exe
  297. -----------------------------------------------------------------------
  298.  
  299.  
  300.  
  301. Places to get more Yara rules:
  302. ------------------------------
  303. https://malwareconfig.com/static/yaraRules/
  304. https://github.com/kevthehermit/YaraRules
  305. https://github.com/VectraThreatLab/reyara
  306.  
  307.  
  308.  
  309. Yara rule sorting script:
  310. -------------------------
  311. https://github.com/mkayoh/yarasorter
  312.  
  313.  
  314. ---------------------------Type This-----------------------------------
  315. cd ~/Desktop/rules-master
  316. for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
  317. cd ~/Desktop/
  318. yara rules-master/master.yar malcode/malware.exe
  319. -----------------------------------------------------------------------
  320.  
  321.  
  322.  
  323.  
  324.  
  325.  
  326.  
  327.  
  328.  
  329. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  330. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  331.  
  332.  
  333. Malware Repositories:
  334. ---------------------
  335. http://malshare.com/index.php
  336. http://www.malwareblacklist.com/
  337. http://www.virusign.com/
  338. http://virusshare.com/
  339. http://www.tekdefense.com/downloads/malware-samples/
  340.  
  341.  
  342.  
  343.  
  344.  
  345.  
  346.  
  347.  
  348.  
  349.  
  350.  
  351. ###############################
  352. # Creating a Malware Database #
  353. ###############################
  354.  
  355. Creating a malware database (sqlite)
  356. ---------------------------Type This-----------------------------------
  357. sudo apt-get install -y python-simplejson python-simplejson-dbg
  358.  
  359.  
  360. wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py
  361. wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
  362.  
  363. unzip malware-password-is-infected.zip
  364. infected
  365.  
  366. python avsubmit.py --init
  367.  
  368. python avsubmit.py -f malware.exe -e
  369. -----------------------------------------------------------------------
  370.  
  371.  
  372.  
  373.  
  374. Creating a malware database (mysql)
  375. -----------------------------------
  376. - Step 1: Installing MySQL database
  377. - Run the following command in the terminal:
  378. ---------------------------Type This-----------------------------------
  379. sudo apt-get install mysql-server
  380. -----------------------------------------------------------------------
  381.  
  382. - Step 2: Installing Python MySQLdb module
  383. - Run the following command in the terminal:
  384. ---------------------------Type This-----------------------------------
  385. sudo apt-get build-dep python-mysqldb
  386.  
  387.  
  388. sudo apt-get install python-mysqldb
  389.  
  390. -----------------------------------------------------------------------
  391.  
  392. Step 3: Logging in
  393. Run the following command in the terminal:
  394. ---------------------------Type This-----------------------------------
  395. mysql -u root -p (set a password of 'malware')
  396. -----------------------------------------------------------------------
  397.  
  398.  
  399. - Then create one database by running following command:
  400. ---------------------------Type This-----------------------------------
  401. create database malware;
  402.  
  403. exit;
  404.  
  405. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  406.  
  407. vi mal_to_db.py (fill in database connection information)
  408.  
  409. python mal_to_db.py -i
  410. -----------------------------------------------------------------------
  411.  
  412. ------- check it to see if the files table was created ------
  413.  
  414. ---------------------------Type This-----------------------------------
  415. mysql -u root -p
  416. malware
  417.  
  418. show databases;
  419.  
  420. use malware;
  421.  
  422. show tables;
  423.  
  424. describe files;
  425.  
  426. exit;
  427. -----------------------------------------------------------------------
  428.  
  429.  
  430. - Now add the malicious file to the DB
  431. ---------------------------Type This-----------------------------------
  432. python mal_to_db.py -f malware.exe -u
  433. -----------------------------------------------------------------------
  434.  
  435.  
  436. - Now check to see if it is in the DB
  437. ---------------------------Type This-----------------------------------
  438. mysql -u root -p
  439. malware
  440.  
  441. mysql> use malware;
  442.  
  443. select id,md5,sha1,sha256,time FROM files;
  444.  
  445. mysql> quit;
  446. ------------------------------------------------------------------------
  447.  
  448.  
  449.  
  450.  
  451.  
  452.  
  453.  
  454.  
  455.  
  456.  
  457. ################################
  458. # Day 2: Log and PCAP Analysis #
  459. ################################
  460.  
  461.  
  462.  
  463.  
  464. ##############################################
  465. # Log Analysis with Linux command-line tools #
  466. ##############################################
  467. The following command line executables are found in the Mac as well as most Linux Distributions.
  468.  
  469. cat – prints the content of a file in the terminal window
  470. grep – searches and filters based on patterns
  471. awk – can sort each row into fields and display only what is needed
  472. sed – performs find and replace functions
  473. sort – arranges output in an order
  474. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  475.  
  476.  
  477.  
  478.  
  479. ##############
  480. # Cisco Logs #
  481. ##############
  482. ---------------------------Type This-----------------------------------
  483. wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
  484. -----------------------------------------------------------------------
  485.  
  486. AWK Basics
  487. ----------
  488. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  489. ---------------------------Type This-----------------------------------
  490. cat cisco.log | awk '{print $5}' | tail -n 4
  491. -----------------------------------------------------------------------
  492.  
  493.  
  494.  
  495. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  496. ---------------------------Type This-----------------------------------
  497. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  498. -----------------------------------------------------------------------
  499.  
  500.  
  501.  
  502. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  503. ---------------------------Type This-----------------------------------
  504. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  505. -----------------------------------------------------------------------
  506.  
  507.  
  508.  
  509.  
  510. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  511. ---------------------------Type This-----------------------------------
  512. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  513.  
  514. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  515.  
  516. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  517.  
  518. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  519. -----------------------------------------------------------------------
  520.  
  521.  
  522.  
  523.  
  524.  
  525. ###############
  526. # Apache Logs #
  527. ###############
  528. ---------------------------Type This-----------------------------------
  529. wget https://s3.amazonaws.com/infosecaddictsfiles/access_log
  530. -----------------------------------------------------------------------
  531.  
  532. # top 20 URLs from the last 5000 hits
  533. ---------------------------Type This-----------------------------------
  534. tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  535. tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  536. -----------------------------------------------------------------------
  537.  
  538.  
  539. # top 20 URLS excluding POST data from the last 5000 hits
  540. ---------------------------Type This-----------------------------------
  541. tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  542. tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  543. -----------------------------------------------------------------------
  544.  
  545.  
  546. # top 20 IPs from the last 5000 hits
  547. ---------------------------Type This-----------------------------------
  548. tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
  549. tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  550. -----------------------------------------------------------------------
  551.  
  552.  
  553.  
  554. # top 20 URLs requested from a certain ip from the last 5000 hits
  555. ---------------------------Type This-----------------------------------
  556. IP=141.101.80.187; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
  557. IP=141.101.80.187; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  558. -----------------------------------------------------------------------
  559.  
  560.  
  561.  
  562. # top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
  563. ---------------------------Type This-----------------------------------
  564. IP=141.101.80.187; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
  565. IP=141.101.80.187; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
  566. -----------------------------------------------------------------------
  567.  
  568.  
  569.  
  570. # top 20 referrers from the last 5000 hits
  571. ---------------------------Type This-----------------------------------
  572. tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
  573. tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
  574. -----------------------------------------------------------------------
  575.  
  576.  
  577.  
  578. # top 20 user agents from the last 5000 hits
  579. ---------------------------Type This-----------------------------------
  580. tail -5000 ./access_log | cut -d\ -f12- | sort | uniq -c | sort -rn | head -20
  581. -----------------------------------------------------------------------
  582.  
  583.  
  584.  
  585. # sum of data (in MB) transferred in the last 5000 hits
  586. ---------------------------Type This-----------------------------------
  587. tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
  588. -----------------------------------------------------------------------
  589.  
  590.  
  591.  
  592.  
  593.  
  594.  
  595. #################################
  596. # Using Python for log analysis #
  597. #################################
  598. ---------------------------Type This-----------------------------------
  599. wget https://s3.amazonaws.com/infosecaddictsfiles/access_log
  600.  
  601.  
  602. cat access_log | grep 141.101.80.188
  603.  
  604. cat access_log | grep 141.101.80.187
  605.  
  606. cat access_log | grep 108.162.216.204
  607.  
  608. cat access_log | grep 173.245.53.160
  609.  
  610. cat access_log | grep 173.245.53.160 | wc -l
  611.  
  612. ---------------------------------------------------------
  613.  
  614.  
  615. Take a look at the following reference:
  616. http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
  617.  
  618.  
  619.  
  620. Let's have some fun.....
  621. ---------------------------Type This-----------------------------------
  622. python
  623.  
  624. >>> f = open('access_log', "r")
  625.  
  626. >>> lines = f.readlines()
  627.  
  628. >>> print lines
  629.  
  630. >>> lines[0]
  631.  
  632. >>> lines[10]
  633.  
  634. >>> lines[50]
  635.  
  636. >>> lines[1000]
  637.  
  638. >>> lines[5000]
  639.  
  640. >>> lines[10000]
  641.  
  642. >>> print len(lines)
  643.  
  644. >>> exit()
  645.  
  646.  
  647.  
  648. ---------------------------Type This-----------------------------------
  649. nano logread1.py
  650.  
  651.  
  652.  
  653. ----------------------Paste this in the file----------------------------
  654. ## Open the file with read only permit
  655. f = open('access_log', "r")
  656.  
  657. ## use readlines to read all lines in the file
  658. ## The variable "lines" is a list containing all lines
  659. lines = f.readlines()
  660.  
  661. print lines
  662.  
  663.  
  664. ## close the file after reading the lines.
  665. f.close()
  666.  
  667. -----------------------------------------------------------------------
  668.  
  669.  
  670. Google the following:
  671. - python difference between readlines and readline
  672. - python readlines and readline
  673.  
  674.  
  675.  
  676.  
  677. Can you write an if/then statement that looks for the following IP in the log file?
  678. 141.101.81.187
  679.  
  680.  
  681.  
  682.  
  683.  
  684.  
  685. ---------------------------------------------------------
  686. Hint 1: Use Python to look for a value in a list
  687.  
  688. Reference:
  689. http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
  690.  
  691.  
  692.  
  693.  
  694. ---------------------------------------------------------
  695. Hint 2: Use Python to prompt for user input
  696.  
  697. Reference:
  698. http://www.cyberciti.biz/faq/python-raw_input-examples/
  699.  
  700.  
  701.  
  702.  
  703. ---------------------------------------------------------
  704. Hint 3: Use Python to search for a string in a list
  705.  
  706. Reference:
  707. http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
  708.  
  709.  
  710.  
  711.  
  712.  
  713. Here is my solution:
  714. -------------------
  715. $ python
  716. >>> f = open('access_log', "r")
  717. >>> lines = f.readlines()
  718. >>> ip = '141.101.81.187'
  719. >>> for string in lines:
  720. ... if ip in string:
  721. ... print(string)
  722.  
  723. >>>
  724. >>> exit()
  725.  
  726.  
  727.  
  728.  
  729.  
  730. Here is one student's solution - can you please explain each line of this code to me?
  731. -------------------------------------------------------------------------------------
  732.  
  733.  
  734. ---------------------------Type This-----------------------------------
  735. nano logread1.py
  736.  
  737.  
  738.  
  739. ----------------------Paste this in the file----------------------------
  740. #!/usr/bin/python
  741.  
  742. f = open('access_log')
  743.  
  744. strUsrinput = raw_input("Enter IP Address: ")
  745.  
  746. for line in iter(f):
  747. ip = line.split(" - ")[0]
  748. if ip == strUsrinput:
  749. print line
  750.  
  751. f.close()
  752. -----------------------------------------------------------------------
  753.  
  754.  
  755.  
  756.  
  757. -------------------------------
  758.  
  759. Working with another student after class we came up with another solution:
  760.  
  761. ---------------------------Type This-----------------------------------
  762. nano logread1.py
  763.  
  764.  
  765.  
  766. ----------------------Paste this in the file----------------------------
  767. #!/usr/bin/env python
  768.  
  769.  
  770. # This line opens the log file
  771. f=open('access_log',"r")
  772.  
  773. # This line takes each line in the log file and stores it as an element in the list
  774. lines = f.readlines()
  775.  
  776.  
  777. # This lines stores the IP that the user types as a var called userinput
  778. userinput = raw_input("Enter the IP you want to search for: ")
  779.  
  780.  
  781.  
  782. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
  783. for ip in lines:
  784. if ip.find(userinput) != -1:
  785. print ip
  786. ------------------------------------------------------------------------
  787.  
  788.  
  789.  
  790.  
  791.  
  792.  
  793.  
  794.  
  795.  
  796.  
  797.  
  798.  
  799.  
  800. #################
  801. # PCAP Analysis #
  802. #################
  803. ---------------------------Type This-----------------------------------
  804. cd ~/Desktop/
  805.  
  806. mkdir suspiciouspcap/
  807.  
  808. cd suspiciouspcap/
  809.  
  810. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  811.  
  812. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
  813.  
  814.  
  815. perl chaosreader.pl suspicious-time.pcap
  816.  
  817. python -m SimpleHTTPServer
  818. ------------------------------------------------------------------------
  819. Now you can just browse to the IP address of your Linux box on port 8000
  820.  
  821. http://Linux-Box-IP:8000/
  822.  
  823.  
  824.  
  825. --------------------------Type This-----------------------------------
  826. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  827.  
  828. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  829.  
  830.  
  831. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  832. ------------------------------------------------------------------------
  833.  
  834.  
  835.  
  836.  
  837. ########################
  838. # Playing with TCPDump #
  839. ########################
  840.  
  841. Let's install tcpdump
  842. ---------------------------Type This-----------------------------------
  843. sudo apt install -y tcpdump
  844. ------------------------------------------------------------------------
  845.  
  846.  
  847.  
  848. The easiest way to use tcpdump is to just directly write a pcap file
  849. Run tcpdump to capture a .pcap file that we will use for the next exercise
  850.  
  851. ---------------------------Type This-----------------------------------
  852.  
  853. sudo tcpdump -ni eth0 -s0 -w quick.pcap
  854.  
  855. ----------------------------------------------------------------------
  856.  
  857. --open another command prompt--
  858.  
  859. ---------------------------Type This-----------------------------------
  860.  
  861.  
  862. wget http://packetlife.net/media/library/12/tcpdump.pdf
  863.  
  864. ----------------------------------------------------------------------
  865.  
  866.  
  867.  
  868. The basic structure of tcpdump output is:
  869.  
  870. [timestamp] [network protocol] [source IP].[source port] > [destination IP].[destination port]
  871.  
  872.  
  873. ---------------------------Type This-----------------------------------
  874. tcpdump -nn -r suspicious-time.pcap | head
  875. ------------------------------------------------------------------------
  876.  
  877.  
  878.  
  879. To grab a count of the number of packets in a capture you can type:
  880. ---------------------------Type This-----------------------------------
  881. tcpdump -nn -r suspicious-time.pcap | wc -l
  882. ------------------------------------------------------------------------
  883.  
  884.  
  885.  
  886. To select only the source IP with the port, which is the 3rd column you can type:
  887. ---------------------------Type This-----------------------------------
  888. tcpdump -nn -r suspicious-time.pcap | cut -f 3 -d " " | head
  889. ------------------------------------------------------------------------
  890.  
  891.  
  892.  
  893. To filter for just TCP/IP traffic and exclude layer 2 traffic you can use 'tcp or udp'
  894. ---------------------------Type This-----------------------------------
  895. tcpdump -nn -r suspicious-time.pcap 'tcp or udp' | cut -f 3 -d " " | head
  896. ------------------------------------------------------------------------
  897.  
  898.  
  899.  
  900. Here we are removing the source port by adding another cut that selects the first 4 columns separated by the "." character:
  901. ---------------------------Type This-----------------------------------
  902. tcpdump -nn -r suspicious-time.pcap 'tcp or udp' | cut -f 3 -d " " | cut -f 1-4 -d "." | head
  903. ------------------------------------------------------------------------
  904.  
  905.  
  906.  
  907. Adding sort and uniq cleans up the data a lot more
  908. ---------------------------Type This-----------------------------------
  909. tcpdump -nn -r suspicious-time.pcap 'tcp or udp' | cut -f 3 -d " " | cut -f 1-4 -d "." | sort | uniq | head
  910. ------------------------------------------------------------------------
  911.  
  912.  
  913.  
  914. If you wanted to see the destination instead of the sources you can change the first cut statement:
  915. ---------------------------Type This-----------------------------------
  916. tcpdump -nn -r suspicious-time.pcap 'tcp or udp' | cut -f 5 -d " " | cut -f 1-4 -d "." | sort | uniq | head
  917. ------------------------------------------------------------------------
  918.  
  919.  
  920.  
  921. Here we can count just how many of these instances occurred
  922. ---------------------------Type This-----------------------------------
  923. tcpdump -nn -r suspicious-time.pcap 'tcp or udp' | cut -f 5 -d " " | cut -f 1-4 -d "." | sort | uniq -c | sort -nr | head
  924. ------------------------------------------------------------------------
  925.  
  926.  
  927.  
  928. To examine destination ports, start by selecting only destination IPs and ports for new TCP sessions using a Tcpdump filter of 'tcp[13]=2' which selects only packets
  929. with the SYN flag set. That way you don’t accidentally give undue weight to commonly used ports like 443 and 80, where there may be a large number of packets over very few sessions as in the case of a HTTP or HTTPS download:
  930. ---------------------------Type This-----------------------------------
  931. tcpdump -nn -r suspicious-time.pcap 'tcp[13]=2' | cut -f 5 -d " " | sort | uniq -c | sort -nr | head
  932. ------------------------------------------------------------------------
  933.  
  934.  
  935.  
  936. Now that you've got the top destinations you can use cut to select only the port
  937. ---------------------------Type This-----------------------------------
  938. tcpdump -nn -r suspicious-time.pcap 'tcp[13]=2' | cut -f 5 -d " " | cut -f 5 -d "." | sort | uniq -c | sort -nr | head
  939. ------------------------------------------------------------------------
  940.  
  941.  
  942.  
  943. We can do the same with the source IP to see who the top talkers are:
  944. ---------------------------Type This-----------------------------------
  945. tcpdump -nn -r suspicious-time.pcap 'tcp[13]=2' | cut -f 3 -d " " | cut -f 1-4 -d "." | sort | uniq -c | sort -nr | head
  946. ------------------------------------------------------------------------
  947.  
  948.  
  949.  
  950. Many network protocols store their data as plain text in the payload portion of a packet (SMTP, Syslog, POP3, FTP ASCII mode, HTTP, DNS, etc), and Tcpdump candisplay this text by using the WA switch:
  951. ---------------------------Type This-----------------------------------
  952. tcpdump -Ann -r suspicious-time.pcap 'dst port 25 or dst port 514 or dst port 110 or dst port 21 or dst port 53 or dst port 80' | head -15
  953. ------------------------------------------------------------------------
  954.  
  955.  
  956.  
  957. Looking at DNS traffic
  958. ---------------------------Type This-----------------------------------
  959. tcpdump -nn -r suspicious-time.pcap 'port 53' | head -5
  960. ------------------------------------------------------------------------
  961.  
  962.  
  963.  
  964. Let's try to exclude some of the common TLDs and see what we come up with:
  965. ---------------------------Type This-----------------------------------
  966. tcpdump -nn -r suspicious-time.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)'
  967. ------------------------------------------------------------------------
  968.  
  969.  
  970.  
  971. Let's grab names instead of IP addresses:
  972. ---------------------------Type This-----------------------------------
  973. tcpdump -nn -r suspicious-time.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' | cut -f 8 -d " " | grep -E '[a-z]'
  974. ------------------------------------------------------------------------
  975.  
  976.  
  977.  
  978.  
  979. Looking at HTTP traffic
  980. ---------------------------Type This-----------------------------------
  981. tcpdump -Ann -r suspicious-time.pcap 'dst port 80' | head -15
  982. ------------------------------------------------------------------------
  983.  
  984.  
  985.  
  986. Removing GET/HEAD methods
  987. ---------------------------Type This-----------------------------------
  988. tcpdump -Ann -r suspicious-time.pcap 'dst port 80' | grep 'HTTP' | grep -Ev '(GET|HEAD)' | head
  989. ------------------------------------------------------------------------
  990.  
  991.  
  992.  
  993. Checking out the referer field
  994. ---------------------------Type This-----------------------------------
  995. tcpdump -Ann -r suspicious-time.pcap 'dst port 80' | grep -i 'referer' | head
  996. ------------------------------------------------------------------------
  997.  
  998.  
  999.  
  1000. Checking out the user-agent field
  1001. ---------------------------Type This-----------------------------------
  1002. tcpdump -Ann -r suspicious-time.pcap 'dst port 80' | grep -Ei 'user-agent' | sort | uniq -c | sort -nr | head -15
  1003. ------------------------------------------------------------------------
  1004.  
  1005.  
  1006.  
  1007. #############################
  1008. # PCAP Analysis with tshark #
  1009. #############################
  1010. ---------------------------Type This-----------------------------------
  1011. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  1012.  
  1013.  
  1014. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1015.  
  1016.  
  1017. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1018.  
  1019.  
  1020. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1021.  
  1022.  
  1023. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
  1024.  
  1025.  
  1026. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1027.  
  1028. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1029.  
  1030. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1031.  
  1032. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1033.  
  1034. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1035.  
  1036.  
  1037. whois rapidshare.com.eyu32.ru
  1038.  
  1039. whois sploitme.com.cn
  1040.  
  1041.  
  1042. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1043.  
  1044. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1045.  
  1046. tshark -r suspicious-time.pcap -qz http_req,tree
  1047.  
  1048. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1049.  
  1050. tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1051. -----------------------------------------------------------------------
  1052.  
  1053.  
  1054. ######################################
  1055. # PCAP Analysis with forensicPCAP.py #
  1056. ######################################
  1057. ---------------------------Type This-----------------------------------
  1058. cd ~/Desktop/suspiciouspcap/
  1059.  
  1060. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  1061.  
  1062. sudo pip install cmd2==0.7.9
  1063.  
  1064.  
  1065. python forensicPCAP.py suspicious-time.pcap
  1066. ------------------------------------------------------------------------
  1067.  
  1068.  
  1069. ---------------------------Type This-----------------------------------
  1070. ForPCAP >>> help
  1071. ------------------------------------------------------------------------
  1072.  
  1073. Prints stats about PCAP
  1074. ---------------------------Type This-----------------------------------
  1075. ForPCAP >>> stat
  1076. ------------------------------------------------------------------------
  1077.  
  1078. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1079. ---------------------------Type This-----------------------------------
  1080. ForPCAP >>> dns
  1081.  
  1082. ForPCAP >>> show
  1083. ------------------------------------------------------------------------
  1084.  
  1085. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1086. ---------------------------Type This-----------------------------------
  1087. ForPCAP >>> dstports
  1088.  
  1089. ForPCAP >>> show
  1090. ---------------------------Type This-----------------------------------
  1091.  
  1092. Prints the number of ip source and store them.
  1093. ---------------------------Type This-----------------------------------
  1094. ForPCAP >>> ipsrc
  1095.  
  1096. ForPCAP >>> show
  1097. ------------------------------------------------------------------------
  1098.  
  1099. Prints the number of web's requests and store them
  1100. ForPCAP >>> web
  1101.  
  1102. ForPCAP >>> show
  1103. ------------------------------------------------------------------------
  1104.  
  1105.  
  1106. Prints the number of mail's requests and store them
  1107. ---------------------------Type This-----------------------------------
  1108. ForPCAP >>> mail
  1109.  
  1110. ForPCAP >>> show
  1111. ------------------------------------------------------------------------
  1112.  
  1113.  
  1114. If you really want to look at some more in-depth analysis of this suspicious-time.pcap file you can download the following document:
  1115. https://s3.amazonaws.com/infosecaddictsfiles/Forensic+Challenge+2010_-_Challenge_2_-_Solution.doc
  1116.  
  1117.  
  1118.  
  1119.  
  1120.  
  1121.  
  1122.  
  1123.  
  1124. ###################################
  1125. # Day 3: Intro to Memory Analysis #
  1126. ###################################
  1127.  
  1128. ---------------------------Type This-----------------------------------
  1129. cd ~/Desktop/
  1130.  
  1131. sudo apt-get install -y foremost tcpxtract
  1132.  
  1133. wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
  1134.  
  1135. git clone https://github.com/volatilityfoundation/volatility.git
  1136.  
  1137. cd volatility
  1138. sudo pip install distorm3
  1139. sudo python setup.py install
  1140. python vol.py -h
  1141. python vol.py pslist -f ~/Desktop/hn_forensics.vmem
  1142. python vol.py connscan -f ~/Desktop/hn_forensics.vmem
  1143. mkdir dump/
  1144. mkdir -p output/pdf/
  1145. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
  1146. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/
  1147. ***Takes a few min***
  1148. strings 1752.dmp | grep "^http://" | sort | uniq
  1149. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1150. cd ..
  1151. foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
  1152. cd ~/Desktop/volatility/output/pdf/
  1153. cat audit.txt
  1154. cd pdf
  1155. ls
  1156. grep -i javascript *.pdf
  1157.  
  1158.  
  1159.  
  1160. cd ~/Desktop/volatility/output/pdf/
  1161. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1162. unzip pdf-parser_V0_6_4.zip
  1163. python pdf-parser.py -s javascript --raw pdf/00601560.pdf
  1164. python pdf-parser.py --object 11 00600328.pdf
  1165. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
  1166.  
  1167. cat malicious.js
  1168. -----------------------------------------------------------------------
  1169.  
  1170.  
  1171.  
  1172.  
  1173. *****Sorry - no time to cover javascript de-obfuscation today*****
  1174.  
  1175.  
  1176.  
  1177.  
  1178. ---------------------------Type This-----------------------------------
  1179. cd ~/Desktop/volatility
  1180. mkdir files2/
  1181. python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
  1182. python vol.py hivescan -f ~/Desktop/hn_forensics.vmem
  1183. python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1184. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement