Advertisement
joemccray

2019 Linux Class

Jun 3rd, 2019
1,547
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.26 KB | None | 0 0
  1. #########################
  2. # Connect to the server #
  3. #########################
  4.  
  5. Use Putty to SSH into my Ubuntu host in order to perform the lab tasks below.
  6.  
  7. You can download Putty from here:
  8. http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  9.  
  10.  
  11. New server IP: 45.77.13.200
  12. protocol: ssh
  13. port: 22
  14. username: linuxclass
  15. password:
  16.  
  17.  
  18.  
  19. ##############################################
  20. # Log Analysis with Linux command-line tools #
  21. ##############################################
  22. The following command line executables are found in the Mac as well as most Linux Distributions.
  23.  
  24. cat – prints the content of a file in the terminal window
  25. grep – searches and filters based on patterns
  26. awk – can sort each row into fields and display only what is needed
  27. sed – performs find and replace functions
  28. sort – arranges output in an order
  29. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  30.  
  31.  
  32. ##############
  33. # Cisco Logs #
  34. ##############
  35.  
  36. AWK Basics
  37. ----------
  38. To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  39.  
  40. -----------------------------Type this-----------------------------------------
  41. cat cisco.log | awk '{print $5}' | tail -n 4
  42. -------------------------------------------------------------------------------
  43.  
  44.  
  45.  
  46. Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  47.  
  48. -----------------------------Type this-----------------------------------------
  49. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  50. -------------------------------------------------------------------------------
  51.  
  52.  
  53.  
  54. While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  55.  
  56. -----------------------------Type this-----------------------------------------
  57. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  58. -------------------------------------------------------------------------------
  59.  
  60.  
  61.  
  62.  
  63. Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  64.  
  65. -----------------------------Type this-----------------------------------------
  66. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  67.  
  68. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  69.  
  70. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  71.  
  72. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  73. --------------------------------------------------------------------------------
  74.  
  75.  
  76.  
  77.  
  78.  
  79.  
  80.  
  81. ################
  82. # The Scenario #
  83. ################
  84. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  85.  
  86.  
  87. The fastest thing you can do is perform static analysis.
  88.  
  89.  
  90.  
  91. ###################
  92. # Static Analysis #
  93. ###################
  94.  
  95. - After logging please open a terminal window and type the following commands:
  96.  
  97.  
  98. ---------------------------Type This-----------------------------------
  99.  
  100. file wannacry.exe
  101.  
  102. hexdump -n 2 -C wannacry.exe
  103.  
  104. ----------------------------------------------------------------------
  105.  
  106.  
  107.  
  108. In a browser...go to: http://www.garykessler.net/library/file_sigs.html
  109.  
  110. ***What is '4d 5a' or 'MZ'***
  111.  
  112.  
  113.  
  114.  
  115.  
  116. ---------------------------Type This-----------------------------------
  117. objdump -x wannacry.exe
  118.  
  119. strings wannacry.exe
  120.  
  121. strings wannacry.exe | grep -i dll
  122.  
  123. strings wannacry.exe | grep -i library
  124.  
  125. strings wannacry.exe | grep -i reg
  126.  
  127. strings wannacry.exe | grep -i key
  128.  
  129. strings wannacry.exe | grep -i rsa
  130.  
  131. strings wannacry.exe | grep -i open
  132.  
  133. strings wannacry.exe | grep -i get
  134.  
  135. strings wannacry.exe | grep -i mutex
  136.  
  137. strings wannacry.exe | grep -i irc
  138.  
  139. strings wannacry.exe | grep -i join
  140.  
  141. strings wannacry.exe | grep -i admin
  142.  
  143. strings wannacry.exe | grep -i list
  144. ----------------------------------------------------------------------
  145.  
  146.  
  147.  
  148.  
  149.  
  150.  
  151.  
  152. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  153.  
  154. Quick Google search for "wannacry ransomeware analysis"
  155.  
  156.  
  157. Reference
  158. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  159.  
  160. - Yara Rule -
  161.  
  162.  
  163. Strings:
  164. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  165. $s2 = “Wanna Decryptor” wide ascii nocase
  166. $s3 = “.wcry” wide ascii nocase
  167. $s4 = “WANNACRY” wide ascii nocase
  168. $s5 = “WANACRY!” wide ascii nocase
  169. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  170.  
  171.  
  172.  
  173.  
  174.  
  175.  
  176.  
  177.  
  178. Ok, let's look for the individual strings
  179.  
  180.  
  181. ---------------------------Type This-----------------------------------
  182. strings wannacry.exe | grep -i ooops
  183.  
  184. strings wannacry.exe | grep -i wanna
  185.  
  186. strings wannacry.exe | grep -i wcry
  187.  
  188. strings wannacry.exe | grep -i wannacry
  189.  
  190. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  191. ----------------------------------------------------------------------
  192.  
  193.  
  194.  
  195.  
  196.  
  197.  
  198.  
  199.  
  200.  
  201.  
  202.  
  203.  
  204.  
  205.  
  206.  
  207.  
  208. ####################################
  209. # Tired of GREP - let's try Python #
  210. ####################################
  211. Decided to make my own script for this kind of stuff in the future. I
  212.  
  213. Reference1:
  214. http://45.63.104.73/analyse_malware.py
  215.  
  216. This is a really good script for the basics of static analysis
  217.  
  218. Reference:
  219. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  220.  
  221.  
  222. This is really good for showing some good signatures to add to the Python script
  223.  
  224.  
  225. Here is my own script using the signatures (started this yesterday, but still needs work):
  226. https://pastebin.com/guxzCBmP
  227.  
  228.  
  229.  
  230. ---------------------------Type This-----------------------------------
  231.  
  232. cat am.py | less
  233.  
  234. python2.7 am.py wannacry.exe
  235. ----------------------------------------------------------------------
  236.  
  237.  
  238.  
  239. ##################################################################
  240. # Analyzing a PCAP Prads #
  241. # Note: run as regular user #
  242. ##################################################################
  243.  
  244. ---------------------------Type this as a regular user----------------------------------
  245.  
  246. prads -r suspicious-time.pcap -l prads-asset.log
  247.  
  248. cat prads-asset.log | less
  249.  
  250. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  251.  
  252. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  253.  
  254. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  255. -----------------------------------------------------------------------
  256.  
  257.  
  258.  
  259.  
  260. ##################################
  261. # PCAP Analysis with ChaosReader #
  262. # Note: run as regular user #
  263. ##################################
  264. ---------------------------Type this as a regular user----------------------------------
  265. perl chaosreader.pl suspicious-time.pcap
  266.  
  267. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  268.  
  269. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  270.  
  271.  
  272. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  273.  
  274.  
  275. ------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement