daily pastebin goal
66%
SHARE
TWEET

Linux

djtroby May 31st, 2017 76 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##############################
  2. # Linux For InfoSec Pros     #
  3. # By Joe McCray              #
  4. ##############################
  5.  
  6.  
  7. ##########################
  8. # Download the attack VM #
  9. ##########################
  10. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  11. user: strategicsec
  12. pass: strategicsec
  13.  
  14.  
  15. ########################################
  16. # Boot up the StrategicSec Ubuntu host #
  17. ########################################
  18.  
  19. - Log in to your Ubuntu host with the following credentials:
  20.     user: strategicsec
  21.     pass: strategicsec
  22.  
  23.  
  24.  
  25. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  26. - You can download Putty from here:
  27. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  28.  
  29.  
  30.  
  31. ########################
  32. # Basic Linux Commands #
  33. ########################
  34.  
  35. pwd
  36.  
  37. whereis pwd
  38.  
  39. which pwd
  40.  
  41. sudo find / -name pwd
  42.      strategicsec
  43.  
  44. /bin/pwd
  45.  
  46. mkdir test
  47.  
  48. cd test
  49.  
  50. touch one two three
  51.  
  52. ls -l t     (without pressing the Enter key, press the Tab key twice. What happens?)
  53.  
  54. h       (and again without pressing the Enter key, press the Tab key twice. What happens?)
  55.  
  56. Press the 'Up arrow key'    (What happens?)
  57.  
  58. Press 'Ctrl-A'          (What happens?)
  59.  
  60. ls
  61.  
  62. clear               (What happens?)
  63.  
  64. echo one > one
  65.  
  66. cat one             (What happens?)
  67.  
  68. man cat             (What happens?)
  69.     q
  70.  
  71. cat two
  72.  
  73. cat one > two
  74.  
  75. cat two
  76.  
  77. cat one two > three
  78.  
  79. cat three
  80.  
  81. echo four >> three
  82.  
  83. cat three           (What happens?)
  84.  
  85. wc -l three
  86.  
  87. man wc
  88.     q
  89.  
  90. cat three | grep four
  91.  
  92. cat three | grep one
  93.  
  94. man grep
  95.     q
  96.  
  97.  
  98. sudo grep eth[01] /etc/*    (What happens?)
  99.     strategicsec
  100.  
  101. cat /etc/iftab
  102.  
  103.  
  104. man ps
  105.     q
  106.  
  107. ps
  108.  
  109. ps aux
  110.  
  111. ps aux | less
  112.  
  113. Press the 'Up arrow key'    (What happens?)
  114.  
  115. Press the 'Down arrow key'  (What happens?)
  116.     q
  117.  
  118. top
  119.  
  120. ############
  121. # VIM Demo #
  122. ############
  123. http://www.thegeekstuff.com/2009/03/8-essential-vim-editor-navigation-fundamentals/
  124.  
  125.  
  126.  
  127. ###################
  128. # Common commands #
  129. ###################
  130. http://www.thegeekstuff.com/2009/03/15-practical-linux-find-command-examples/
  131.  
  132. http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/
  133. http://www.thegeekstuff.com/2010/01/awk-introduction-tutorial-7-awk-print-examples/
  134. http://www.thegeekstuff.com/2009/10/unix-sed-tutorial-advanced-sed-substitution-examples/
  135.  
  136.  
  137. http://www.thegeekstuff.com/2010/11/50-linux-commands/
  138. http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/
  139. http://www.thegeekstuff.com/2010/11/modprobe-command-examples/
  140. http://www.thegeekstuff.com/2009/06/useradd-adduser-newuser-how-to-create-linux-users/
  141. http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/
  142. http://www.thegeekstuff.com/2010/08/how-to-create-lvm/
  143. http://www.thegeekstuff.com/2010/10/dmesg-command-examples/
  144. http://www.thegeekstuff.com/2010/03/netstat-command-examples/
  145. http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/
  146.  
  147. #################
  148. # IPTables Demo #
  149. #################
  150. Reference:
  151. http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
  152.  
  153. Delete Existing Rules
  154. ---------------------
  155. sudo /sbin/iptables -F
  156.     strategicsec
  157.  
  158.     (or)
  159.  
  160. sudo /sbin/iptables --flush
  161.     strategicsec
  162.  
  163.  
  164.  
  165. Set Default Chain Policies
  166. --------------------------
  167. sudo /sbin/iptables -P INPUT DROP
  168. sudo /sbin/iptables -P FORWARD DROP
  169. sudo /sbin/iptables -P OUTPUT DROP
  170.  
  171.  
  172. Block a Specific ip-address
  173. ---------------------------
  174. BLOCK_THIS_IP="x.x.x.x"
  175. sudo /sbin/iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
  176.  
  177.  
  178. sudo /sbin/iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP
  179. sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP
  180.  
  181.  
  182. Allow ALL Incoming SSH
  183. ----------------------
  184. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  185. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  186.  
  187.  
  188. Allow Incoming SSH only from a Sepcific Network
  189. -----------------------------------------------
  190. sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  191. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  192.  
  193.  
  194. Allow Incoming HTTP and HTTPS
  195. -----------------------------
  196. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
  197. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
  198.  
  199.  
  200. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
  201. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
  202.  
  203.  
  204.  
  205. Combine Multiple Rules Together using MultiPorts
  206. ------------------------------------------------
  207. sudo /sbin/iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT
  208. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT                                                                                                                                                                                
  209.  
  210.  
  211. Allow Outgoing SSH
  212. ------------------
  213. sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
  214. sudo /sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
  215.  
  216.  
  217.  
  218. Allow Outgoing SSH only to a Specific Network
  219.  
  220.  
  221.  
  222.  
  223.  
  224. ####################
  225. # MD5 Hashing Demo #
  226. ####################
  227. mkdir ~/demo
  228. cd ~/demo
  229.  
  230.  
  231.  
  232. mkdir hashdemo
  233. cd hashdemo
  234. echo test > test.txt
  235. cat test.txt
  236. md5sum test.txt
  237. echo hello >> test.txt
  238. cat test.txt
  239. md5sum test.txt
  240. cd ..
  241.  
  242.  
  243.  
  244. Reference:
  245. https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/
  246.  
  247.  
  248. #################################
  249. # Symmetric Key Encryption Demo #
  250. #################################
  251. md5sum test.txt
  252. mkdir gpgdemo
  253. cd gpgdemo
  254. echo test > test.txt
  255. cat test.txt
  256. gpg -c test.txt
  257.     password
  258.     password
  259. ls | grep test
  260. cat test.txt
  261. cat test.txt.gpg
  262. rm -rf test.txt
  263. ls | grep test
  264. gpg -o output.txt test.txt.gpg
  265.  
  266.  
  267. #########################################################################################################################
  268. # Asymmetric Key Encryption Demo                                            #
  269. #                                                           #
  270. # Configure random number generator                                             #
  271. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  272. #########################################################################################################################
  273.  
  274. sudo apt-get install rng-tools
  275.     strategicsec
  276.  
  277. /etc/init.d/rng-tools start
  278.  
  279. sudo rngd -r /dev/urandom
  280.     strategicsec
  281.  
  282.  
  283. echo hello > file1.txt
  284. echo goodbye > file2.txt
  285. echo green > file3.txt
  286. echo blue > file4.txt
  287.  
  288. tar czf files.tar.gz *.txt
  289.  
  290. gpg --gen-key
  291.     1
  292.     1024
  293.     0
  294.     y
  295.     John Doe
  296.     john@doe.com
  297.     --blank comment--
  298.     O
  299.         password
  300.         password   
  301.  
  302.  
  303.  
  304. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  305.  
  306. cat file-enc-pubkey.txt
  307.  
  308. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  309.  
  310. cat file-enc-privkey.asc
  311.  
  312. gpg --encrypt --recipient 'John Doe' files.tar.gz
  313.  
  314. rm -rf files.tar.gz *.txt
  315.  
  316. tar -zxvf files.tar.gz.gpg
  317.  
  318. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  319.     password
  320.  
  321. tar -zxvf output.tar.gz
  322.  
  323.  
  324. Reference:
  325. http://linoxide.com/security/gpg-comand-linux-how-to-encrypt-and-decrypt-file/
  326.  
  327.  
  328.  
  329. ############################
  330. # Encryption using OpenSSL #
  331. ############################
  332. openssl genrsa -out private_key.pem 1024
  333. openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
  334.  
  335.  
  336. echo hello > encrypt.txt
  337. openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
  338.  
  339. cat encrypt.dat
  340.  
  341. rm -rf encrypt.txt
  342.  
  343. openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
  344.  
  345. cat decrypt.txt
  346.  
  347.  
  348. ##################
  349. # SELinux Basics #
  350. ##################
  351.  
  352. sudo apt-get install selinux selinux-utils
  353.     strategicsec
  354.  
  355.  
  356. - Change the SELinux mode in /etc/selinux/config (optional):
  357.  
  358. - Enforcing
  359. sudo sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config
  360.     strategicsec
  361.  
  362. - Permissive
  363. sudo sed -i 's/SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
  364.     strategicsec
  365.  
  366. - Reboot
  367.  
  368. Reference:
  369. http://www.techrepublic.com/blog/linux-and-open-source/practical-selinux-for-the-beginner-contexts-and-labels/
  370.  
  371.  
  372. ############
  373. # AppArmor #
  374. ############
  375. Reference:
  376. http://www.thegeekstuff.com/2014/03/apparmor-ubuntu/
  377.  
  378.  
  379.  
  380.  
  381. ########################
  382. # Bash Shell Scripting #
  383. ########################
  384. http://www.thegeekstuff.com/2011/07/bash-for-loop-examples/
  385. http://www.thegeekstuff.com/2010/07/bash-string-manipulation/
  386. http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/
  387.  
  388.  
  389.  
  390.  
  391. ############################
  392. # Ubuntu Server Build Task #
  393. ############################
  394. https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/
  395.  
  396. ############################
  397. # CentOS Server Build Task #
  398. ############################
  399. https://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/
  400.  
  401.  
  402.  
  403.  
  404. #########################################################################
  405. # What kind of Linux am I on and how can I find out?            #
  406. # Great reference:                          #
  407. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/    #
  408. #########################################################################
  409. What’s the distribution type? What version?
  410. -------------------------------------------
  411. cat /etc/issue
  412. cat /etc/*-release
  413. cat /etc/lsb-release            # Debian based
  414. cat /etc/redhat-release         # Redhat based
  415.  
  416.  
  417.  
  418. What’s the kernel version? Is it 64-bit?
  419. -------------------------------------------
  420. cat /proc/version
  421. uname -a
  422. uname -mrs
  423. rpm -q kernel
  424. dmesg | grep Linux
  425. ls /boot | grep vmlinuz-
  426.  
  427.  
  428.  
  429. What can be learnt from the environmental variables?
  430. ----------------------------------------------------
  431. cat /etc/profile
  432. cat /etc/bashrc
  433. cat ~/.bash_profile
  434. cat ~/.bashrc
  435. cat ~/.bash_logout
  436. env
  437. set
  438.  
  439.  
  440. What services are running? Which service has which user privilege?
  441. ------------------------------------------------------------------
  442. ps aux
  443. ps -ef
  444. top
  445. cat /etc/services
  446.  
  447.  
  448. Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  449. ---------------------------------------------------------------------------------------------------------------
  450. ps aux | grep root
  451. ps -ef | grep root
  452.  
  453.  
  454.  
  455. What applications are installed? What version are they? Are they currently running?
  456. ------------------------------------------------------------------------------------
  457. ls -alh /usr/bin/
  458. ls -alh /sbin/
  459. dpkg -l
  460. dpkg --get-selections | grep -v deinstall
  461. rpm -qa
  462. ls -alh /var/cache/apt/archives
  463. ls -alh /var/cache/yum/
  464.  
  465.  
  466. Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  467. ------------------------------------------------------------------------------------
  468. cat /etc/syslog.conf
  469. cat /etc/chttp.conf
  470. cat /etc/lighttpd.conf
  471. cat /etc/cups/cupsd.conf
  472. cat /etc/inetd.conf
  473. cat /etc/apache2/apache2.conf
  474. cat /etc/my.conf
  475. cat /etc/httpd/conf/httpd.conf
  476. cat /opt/lampp/etc/httpd.conf
  477. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
  478.  
  479.  
  480.  
  481. What jobs are scheduled?
  482. ------------------------
  483. crontab -l
  484. ls -alh /var/spool/cron
  485. ls -al /etc/ | grep cron
  486. ls -al /etc/cron*
  487. cat /etc/cron*
  488. cat /etc/at.allow
  489. cat /etc/at.deny
  490. cat /etc/cron.allow
  491. cat /etc/cron.deny
  492. cat /etc/crontab
  493. cat /etc/anacrontab
  494. cat /var/spool/cron/crontabs/root
  495.  
  496.  
  497. Any plain text usernames and/or passwords?
  498. ------------------------------------------
  499. grep -i user [filename]
  500. grep -i pass [filename]
  501. grep -C 5 "password" [filename]
  502. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"          # Search for Joomla passwords
  503.  
  504.  
  505. What NIC(s) does the system have? Is it connected to another network?
  506. ---------------------------------------------------------------------
  507. /sbin/ifconfig -a
  508. cat /etc/network/interfaces
  509. cat /etc/sysconfig/network
  510.  
  511.  
  512. What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  513. ------------------------------------------------------------------------------------------------------------------------
  514. cat /etc/resolv.conf
  515. cat /etc/sysconfig/network
  516. cat /etc/networks
  517. sudo iptables -L
  518. hostname
  519. dnsdomainname
  520.  
  521. What other users & hosts are communicating with the system?
  522. -----------------------------------------------------------
  523. lsof -i
  524. lsof -i :80
  525. grep 80 /etc/services
  526. netstat -antup
  527. netstat -antpx
  528. netstat -tulpn
  529. chkconfig --list
  530. chkconfig --list | grep 3:on
  531. last
  532. w
  533.  
  534.  
  535.  
  536. Whats cached? IP and/or MAC addresses
  537. -------------------------------------
  538. arp -e
  539. route
  540. /sbin/route -nee
  541.  
  542.  
  543. Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  544. ------------------------------------------------------------------------------------------
  545. id
  546. who
  547. w
  548. last
  549. cat /etc/passwd | cut -d:    # List of users
  550. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
  551. awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
  552. sudo cat /etc/sudoers
  553. sudo -l
  554.  
  555.  
  556.  
  557. What sensitive files can be found?
  558. ----------------------------------
  559. cat /etc/passwd
  560. cat /etc/group
  561. sudo cat /etc/shadow
  562. ls -alh /var/mail/
  563.  
  564.  
  565.  
  566. Anything “interesting” in the home directorie(s)? If it’s possible to access
  567. ----------------------------------------------------------------------------
  568. ls -ahlR /root/
  569. ls -ahlR /home/
  570.  
  571.  
  572. Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  573. ---------------------------------------------------------------------------------------------------------------------------
  574. cat /var/apache2/config.inc
  575. cat /var/lib/mysql/mysql/user.MYD
  576. sudo cat /root/anaconda-ks.cfg
  577.  
  578.  
  579. What has the user being doing? Is there any password in plain text? What have they been edting?
  580. -----------------------------------------------------------------------------------------------
  581. cat ~/.bash_history
  582. cat ~/.nano_history
  583. cat ~/.atftp_history
  584. cat ~/.mysql_history
  585. cat ~/.php_history
  586.  
  587.  
  588.  
  589. What user information can be found?
  590. -----------------------------------
  591. cat ~/.bashrc
  592. cat ~/.profile
  593. cat /var/mail/root
  594. cat /var/spool/mail/root
  595.  
  596.  
  597. Can private-key information be found?
  598. -------------------------------------
  599. cat ~/.ssh/authorized_keys
  600. cat ~/.ssh/identity.pub
  601. cat ~/.ssh/identity
  602. cat ~/.ssh/id_rsa.pub
  603. cat ~/.ssh/id_rsa
  604. cat ~/.ssh/id_dsa.pub
  605. cat ~/.ssh/id_dsa
  606. cat /etc/ssh/ssh_config
  607. cat /etc/ssh/sshd_config
  608. cat /etc/ssh/ssh_host_dsa_key.pub
  609. cat /etc/ssh/ssh_host_dsa_key
  610. cat /etc/ssh/ssh_host_rsa_key.pub
  611. cat /etc/ssh/ssh_host_rsa_key
  612. cat /etc/ssh/ssh_host_key.pub
  613. cat /etc/ssh/ssh_host_key
  614.  
  615.  
  616. Any settings/files (hidden) on website? Any settings file with database information?
  617. ------------------------------------------------------------------------------------
  618. ls -alhR /var/www/
  619. ls -alhR /srv/www/htdocs/
  620. ls -alhR /usr/local/www/apache22/data/
  621. ls -alhR /opt/lampp/htdocs/
  622. ls -alhR /var/www/html/
  623.  
  624.  
  625. Is there anything in the log file(s) (Could help with “Local File Includes”!)
  626. -----------------------------------------------------------------------------
  627. cat /etc/httpd/logs/access_log
  628. cat /etc/httpd/logs/access.log
  629. cat /etc/httpd/logs/error_log
  630. cat /etc/httpd/logs/error.log
  631. cat /var/log/apache2/access_log
  632. cat /var/log/apache2/access.log
  633. cat /var/log/apache2/error_log
  634. cat /var/log/apache2/error.log
  635. cat /var/log/apache/access_log
  636. cat /var/log/apache/access.log
  637. cat /var/log/auth.log
  638. cat /var/log/chttp.log
  639. cat /var/log/cups/error_log
  640. cat /var/log/dpkg.log
  641. cat /var/log/faillog
  642. cat /var/log/httpd/access_log
  643. cat /var/log/httpd/access.log
  644. cat /var/log/httpd/error_log
  645. cat /var/log/httpd/error.log
  646. cat /var/log/lastlog
  647. cat /var/log/lighttpd/access.log
  648. cat /var/log/lighttpd/error.log
  649. cat /var/log/lighttpd/lighttpd.access.log
  650. cat /var/log/lighttpd/lighttpd.error.log
  651. cat /var/log/messages
  652. cat /var/log/secure
  653. cat /var/log/syslog
  654. cat /var/log/wtmp
  655. cat /var/log/xferlog
  656. cat /var/log/yum.log
  657. cat /var/run/utmp
  658. cat /var/webmin/miniserv.log
  659. cat /var/www/logs/access_log
  660. cat /var/www/logs/access.log
  661. ls -alh /var/lib/dhcp3/
  662. ls -alh /var/log/postgresql/
  663. ls -alh /var/log/proftpd/
  664. ls -alh /var/log/samba/
  665.  
  666. Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  667.  
  668.  
  669. ###########################
  670. # Target IP Determination #
  671. ###########################
  672. - This portion starts the actual workshop content
  673. - Zone Transfer fails on most domains, but here is an example of one that works:
  674. dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk
  675.  
  676.  
  677. - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
  678. perl blindcrawl.pl -d motorola.com
  679.     Look up the IP addresses at:
  680.     http://www.networksolutions.com/whois/index.jsp
  681.  
  682.  
  683. - Note: If you are on a different machine and need to download blindcrawl can you download it this way:
  684. wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  685. chmod +x blindcrawl.pl
  686.  
  687.  
  688.  
  689. cd ~/toolz/fierce2
  690. sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion
  691.     strategicsec
  692.  
  693.  
  694. - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM:
  695. svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
  696.  
  697.  
  698. cd ~/toolz/fierce2
  699. wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
  700. tar -zxvf Template-Toolkit-2.14.tar.gz
  701. cd Template-Toolkit-2.14/
  702. perl Makefile.PL
  703.     y
  704.     y
  705.     n
  706.     y
  707. sudo make install
  708.      strategicsec
  709.  
  710. cd ..
  711.  
  712. sudo bash install.sh
  713.      strategicsec
  714.  
  715. ./fierce
  716.  
  717. ./fierce -dns motorola.com
  718.  
  719. cd ~/toolz/
  720.  
  721. - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM:
  722. wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  723. gcc -o ipcrawl ipcrawl.c
  724. chmod +x ipcrawl
  725.  
  726.  
  727.  
  728. - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
  729. cd ~/toolz/
  730. ./ipcrawl 148.87.1.1 148.87.1.254               (DNS forward lookup against an IP range)
  731.  
  732.  
  733. sudo nmap -sL 148.87.1.0-255
  734.      strategicsec
  735.  
  736. sudo nmap -sL 148.87.1.0-255 | grep oracle
  737.      strategicsec
  738.  
  739. - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
  740. sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254
  741.      strategicsec
  742.    
  743.  
  744.  
  745.  
  746. ###########################
  747. # Load Balancer Detection #
  748. ###########################
  749.  
  750. - Here are some options to use for identifying load balancers:
  751.     - http://toolbar.netcraft.com/site_report/
  752.     - Firefox LiveHTTP Headers
  753.  
  754.  
  755. - Here are some command-line options to use for identifying load balancers:
  756.  
  757. dig google.com
  758.  
  759. cd ~/toolz
  760. ./lbd-0.1.sh google.com
  761.  
  762.  
  763. halberd microsoft.com
  764. halberd motorola.com
  765. halberd oracle.com
  766.  
  767.  
  768.  
  769.  
  770.  
  771. ######################################
  772. # Web Application Firewall Detection #
  773. ######################################
  774.  
  775. cd ~/toolz/wafw00f
  776. python wafw00f.py http://www.oracle.com
  777. python wafw00f.py http://www.strategicsec.com
  778.  
  779.  
  780. cd ~/toolz/
  781. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  782.      strategicsec
  783.  
  784. sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
  785.      strategicsec
  786.  
  787.  
  788. #########################
  789. # Playing with Nmap NSE #
  790. #########################
  791.  
  792. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  793.  
  794. nmap -p80 --script dns-brute strategicsec.com
  795.  
  796. nmap --script http-robtex-reverse-ip secore.info
  797.  
  798. nmap -Pn -p80 --script=http-headers strategicsec.com
  799.  
  800.  
  801. ls /usr/share/nmap/scripts | grep http
  802. nmap -Pn -p80 --script=http-* strategicsec.com
  803.  
  804. ############
  805. # Nmap NSE #
  806. ############
  807.  
  808. - Reference for this tutorial is:
  809. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
  810.  
  811. ----------------------------------------------------------------------
  812. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  813.      strategicsec
  814.  
  815.  
  816.  
  817. -- The Head Section --
  818. -- The Rule Section --
  819. portrule = function(host, port)
  820.     return port.protocol == "tcp"
  821.             and port.number == 80
  822.             and port.state == "open"
  823. end
  824.  
  825. -- The Action Section --
  826. action = function(host, port)
  827.     return "I love Linux!"
  828. end
  829. ----------------------------------------------------------------------
  830.  
  831. - Ok, now that we've made that change let's run the script
  832. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  833.  
  834.  
  835.  
  836.  
  837.  
  838.  
  839. ----------------------------------------------------------------------
  840. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  841.  
  842. -- The Head Section --
  843. local shortport = require "shortport"
  844.  
  845. -- The Rule Section --
  846. portrule = shortport.http
  847.  
  848.  
  849. -- The Action Section --
  850. action = function(host, port)
  851.     return "I still love Linux!"
  852. end
  853. ----------------------------------------------------------------------
  854.  
  855. - Ok, now that we've made that change let's run the script
  856. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  857.  
  858.  
  859.  
  860.  
  861.  
  862.  
  863.  
  864. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.
  865.  
  866. ----------------------------------------------------------------------
  867. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  868.  
  869. -- The Head Section --
  870. local shortport = require "shortport"
  871. local http = require "http"
  872.  
  873. -- The Rule Section --
  874. portrule = shortport.http
  875.  
  876. -- The Action Section --
  877. action = function(host, port)
  878.  
  879.     local uri = "/installing-metasploit-in-ubunt/"
  880.     local response = http.get(host, port, uri)
  881.     return response.status
  882.  
  883. end
  884. ----------------------------------------------------------------------
  885.  
  886. - Ok, now that we've made that change let's run the script
  887. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  888.  
  889.  
  890.  
  891.  
  892. ----------------------------------------------------------------------
  893. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  894.  
  895. -- The Head Section --
  896. local shortport = require "shortport"
  897. local http = require "http"
  898.  
  899. -- The Rule Section --
  900. portrule = shortport.http
  901.  
  902. -- The Action Section --
  903. action = function(host, port)
  904.  
  905.     local uri = "/installing-metasploit-in-ubunt/"
  906.     local response = http.get(host, port, uri)
  907.  
  908.     if ( response.status == 200 ) then
  909.         return response.body
  910.     end
  911.  
  912. end
  913. ----------------------------------------------------------------------
  914.  
  915. - Ok, now that we've made that change let's run the script
  916. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  917.  
  918.  
  919.  
  920.  
  921.  
  922.  
  923.  
  924.  
  925.  
  926. ----------------------------------------------------------------------
  927. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  928.  
  929. -- The Head Section --
  930. local shortport = require "shortport"
  931. local http = require "http"
  932. local string = require "string"
  933.  
  934. -- The Rule Section --
  935. portrule = shortport.http
  936.  
  937. -- The Action Section --
  938. action = function(host, port)
  939.  
  940.     local uri = "/installing-metasploit-in-ubunt/"
  941.     local response = http.get(host, port, uri)
  942.  
  943.     if ( response.status == 200 ) then
  944.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  945.         return title
  946.     end
  947.  
  948. end
  949. ----------------------------------------------------------------------
  950.  
  951. - Ok, now that we've made that change let's run the script
  952. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  953.  
  954.  
  955.  
  956.  
  957.  
  958.  
  959.  
  960. ----------------------------------------------------------------------
  961. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  962.  
  963. -- The Head Section --
  964. local shortport = require "shortport"
  965. local http = require "http"
  966. local string = require "string"
  967.  
  968. -- The Rule Section --
  969. portrule = shortport.http
  970.  
  971. -- The Action Section --
  972. action = function(host, port)
  973.  
  974.     local uri = "/installing-metasploit-in-ubunt/"
  975.     local response = http.get(host, port, uri)
  976.  
  977.     if ( response.status == 200 ) then
  978.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  979.  
  980.         if (title) then
  981.             return "Vulnerable"
  982.         else
  983.             return "Not Vulnerable"
  984.         end
  985.     end
  986. end
  987.  
  988. ----------------------------------------------------------------------
  989.  
  990. - Ok, now that we've made that change let's run the script
  991. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  992.  
  993.  
  994.  
  995. ####################
  996. # Installing Scapy #
  997. ####################
  998.  
  999. sudo apt-get update
  1000. sudo apt-get install python-scapy python-pyx python-gnuplot
  1001.  
  1002.  
  1003. - Reference Page For All Of The Commands We Will Be Running:
  1004. http://samsclass.info/124/proj11/proj17-scapy.html
  1005.  
  1006.  
  1007.  
  1008.  
  1009.  
  1010. - To run Scapy interactively
  1011.  
  1012.     sudo scapy
  1013.  
  1014.  
  1015.  
  1016. #####################################
  1017. # Sending ICMPv4 Packets with scapy #
  1018. #####################################
  1019.  
  1020. - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  1021.  
  1022.     i = IP()
  1023.  
  1024.  
  1025.  
  1026.  
  1027. - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  1028.  
  1029.     i.display()
  1030.  
  1031.  
  1032.  
  1033.  
  1034. - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  1035.  
  1036.     i.dst="192.168.54.184"
  1037.  
  1038.     i.display()
  1039.  
  1040.  
  1041.  
  1042.  
  1043. - Notice that scapy automatically fills in your machine's source IP address.
  1044.  
  1045. - Use these commands to create an object named ic of type ICMP and display its properties:
  1046.  
  1047.  
  1048.     ic = ICMP()
  1049.  
  1050.     ic.display()
  1051.  
  1052.  
  1053.  
  1054.  
  1055.  
  1056. - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  1057.  
  1058.     sr1(i/ic)
  1059.  
  1060.  
  1061.  
  1062.  
  1063.  
  1064. - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.
  1065.  
  1066.  
  1067. - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  1068.  
  1069. - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  1070.  
  1071.  
  1072.     sr1(i/ic/"YOUR NAME")
  1073.  
  1074.  
  1075. - You should see a reply with a Raw section containing your name.
  1076.  
  1077.  
  1078.  
  1079. ###################################
  1080. # Sending a UDP Packet with Scapy #
  1081. ###################################
  1082.  
  1083.  
  1084. - Preparing the Target
  1085. $ ncat -ulvp 4444
  1086.  
  1087.  
  1088.  
  1089.  
  1090. --open another terminal--
  1091. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  1092.  
  1093.     u = UDP()
  1094.  
  1095.     u.display()
  1096.  
  1097.  
  1098.  
  1099. - This creates an object named u of type UDP, and displays its properties.
  1100.  
  1101. - Execute these commands to change the destination port to 4444 and display the properties again:
  1102.  
  1103.     i.dst="192.168.54.184"              <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  1104.  
  1105.     u.dport = 4444
  1106.  
  1107.     u.display()
  1108.  
  1109.  
  1110.  
  1111. - Execute this command to send the packet to the Windows machine:
  1112.  
  1113.     send(i/u/"YOUR NAME SENT VIA UDP\n")
  1114.  
  1115.  
  1116.  
  1117. - On the Windows target, you should see the message appear
  1118.  
  1119.  
  1120. p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))
  1121.  
  1122.  
  1123. p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))
  1124.  
  1125.  
  1126. p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))
  1127.  
  1128.  
  1129. traceroute (["strategicsec.com"], maxttl=20)
  1130.     This is actually an ICMP & TCP traceroute, default destination is port 80
  1131.  
  1132.  
  1133. traceroute (["strategicsec.com"], dport=443, maxttl=20)
  1134.  
  1135.  
  1136.  
  1137. ############################
  1138. # Ping Sweeping with Scapy #
  1139. ############################
  1140.  
  1141. ----------------------------------------------------------------------
  1142. vi scapy-pingsweep.py
  1143.  
  1144.  
  1145. #!/usr/bin/python
  1146. from scapy.all import *
  1147.  
  1148. TIMEOUT = 2
  1149. conf.verb = 0
  1150. for ip in range(0, 256):
  1151.     packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
  1152.     reply = sr1(packet, timeout=TIMEOUT)
  1153.     if not (reply is None):
  1154.          print reply.dst, "is online"
  1155.     else:
  1156.          print "Timeout waiting for %s" % packet[IP].dst
  1157. ----------------------------------------------------------------------
  1158.  
  1159.  
  1160. ###############################################
  1161. # Checking out some scapy based port scanners #
  1162. ###############################################
  1163.  
  1164. wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
  1165.  
  1166. cat rdp_scan.py
  1167.  
  1168. sudo python rdp_scan.py 192.168.1.250
  1169.  
  1170.  
  1171.  
  1172. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  1173.  
  1174. After logging please open a terminal window and type the following commands:
  1175.  
  1176. cd Desktop/
  1177.  
  1178.  
  1179. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  1180.  
  1181. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1182. wget http://www.beenuarora.com/code/analyse_malware.py
  1183.  
  1184. unzip malware-password-is-infected.zip
  1185.         infected
  1186.  
  1187. file malware.exe
  1188.  
  1189. mv malware.exe malware.pdf
  1190.  
  1191. file malware.pdf
  1192.  
  1193. mv malware.pdf malware.exe
  1194.  
  1195. hexdump -n 2 -C malware.exe
  1196.  
  1197. ***What is '4d 5a' or 'MZ'***
  1198. Reference: http://www.garykessler.net/library/file_sigs.html
  1199.  
  1200.  
  1201. objdump -x malware.exe
  1202.  
  1203. strings malware.exe
  1204.  
  1205. strings --all malware.exe | head -n 6
  1206.  
  1207. strings malware.exe | grep -i dll
  1208.  
  1209. strings malware.exe | grep -i library
  1210.  
  1211. strings malware.exe | grep -i reg
  1212.  
  1213. strings malware.exe | grep -i hkey
  1214.  
  1215. strings malware.exe | grep -i hku
  1216.  
  1217.                                                         - We didn't see anything like HKLM, HKCU or other registry type stuff
  1218.  
  1219. strings malware.exe | grep -i irc
  1220.  
  1221. strings malware.exe | grep -i join                    
  1222.  
  1223. strings malware.exe | grep -i admin
  1224.  
  1225. strings malware.exe | grep -i list
  1226.  
  1227.  
  1228.                                                         - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  1229. sudo apt-get install -y python-pefile
  1230.  
  1231. vi analyse_malware.py
  1232.  
  1233. python analyse_malware.py malware.exe
  1234.  
  1235.  
  1236. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  1237. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  1238.  
  1239.  
  1240. Malware Repositories:
  1241. http://malshare.com/index.php
  1242. http://www.malwareblacklist.com/
  1243. http://www.virusign.com/
  1244. http://virusshare.com/
  1245. http://www.tekdefense.com/downloads/malware-samples/
  1246.  
  1247. ###############################
  1248. # Creating a Malware Database #
  1249. ###############################
  1250.  
  1251. Creating a malware database (sqlite)
  1252. ------------------------------------
  1253. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1254. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1255. unzip malware-password-is-infected.zip
  1256.         infected
  1257. python avsubmit.py --init
  1258. python avsubmit.py -f malware.exe -e
  1259.  
  1260.  
  1261.  
  1262.  
  1263.  
  1264. Creating a malware database (mysql)
  1265. -----------------------------------
  1266. Step 1: Installing MySQL database
  1267. Run the following command in the terminal:
  1268.  
  1269. sudo apt-get install mysql-server
  1270.          
  1271. Step 2: Installing Python MySQLdb module
  1272. Run the following command in the terminal:
  1273.  
  1274. sudo apt-get build-dep python-mysqldb
  1275. sudo apt-get install python-mysqldb
  1276.  
  1277. Step 3: Logging in
  1278. Run the following command in the terminal:
  1279.  
  1280. mysql -u root -p                                        (set a password of 'malware')
  1281.  
  1282. Then create one database by running following command:
  1283.  
  1284. create database malware;
  1285.  
  1286.  
  1287.  
  1288. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1289.  
  1290. vi mal_to_db.py -i                      (fill in database connection information)
  1291.  
  1292. python mal_to_db.py -i
  1293.  
  1294. python mal_to_db.py -i -f malware.exe -u
  1295.  
  1296.  
  1297. mysql -u root -p
  1298.         malware
  1299.  
  1300. mysql> use malware;
  1301.  
  1302. select id,md5,sha1,sha256,time FROM files;
  1303.  
  1304. mysql> quit;
  1305.  
  1306.  
  1307.  
  1308.  
  1309.  
  1310. ##############################
  1311. # Lesson 32: Setting up Yara #
  1312. ##############################
  1313.  
  1314.  
  1315. sudo apt-get install clamav clamav-freshclam
  1316.  
  1317. sudo freshclam
  1318.  
  1319. sudo Clamscan
  1320.  
  1321. sudo apt-get install libpcre3 libpcre3-dev
  1322.  
  1323. wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
  1324.  
  1325. wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
  1326.  
  1327. tar -zxvf v3.1.0.tar.gz
  1328.  
  1329. cd yara-3.1.0/
  1330.  
  1331. ./bootstrap.sh
  1332.  
  1333. ./configure
  1334.  
  1335. make
  1336.  
  1337. make check
  1338.  
  1339. sudo make install
  1340.  
  1341. cd yara-python/
  1342.  
  1343. python setup.py build
  1344.  
  1345. sudo python setup.py install
  1346.  
  1347. cd ..
  1348.  
  1349. yara -v
  1350.  
  1351. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  1352.  
  1353. sigtool -u /var/lib/clamav/main.cvd
  1354.  
  1355. python clamav_to_yara.py -f main.ndb -o clamav.yara
  1356.  
  1357. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1358.  
  1359. unzip malware-password-is-infected.zip
  1360.         infected
  1361.  
  1362. mkdir malcode/
  1363.  
  1364. mv malware.exe malcode/
  1365.  
  1366. vi testrule.yara
  1367. ----------------
  1368. rule IsPE
  1369. {
  1370. meta:
  1371. description = "Windows executable file"
  1372.  
  1373. condition:
  1374. // MZ signature at offset 0 and ...
  1375. uint16(0) == 0x5A4D and
  1376. // ... PE signature at offset stored in MZ header at 0x3C
  1377. uint32(uint32(0x3C)) == 0x00004550
  1378. }
  1379.  
  1380. rule has_no_DEP
  1381. {
  1382. meta:
  1383. description = "DEP is not enabled"
  1384.  
  1385. condition:
  1386. IsPE and
  1387. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  1388. }
  1389.  
  1390. rule has_no_ASLR
  1391. {
  1392. meta:
  1393. description = "ASLR is not enabled"
  1394.  
  1395. condition:
  1396. IsPE and
  1397. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  1398. }
  1399. ----------------
  1400.  
  1401.  
  1402. yara testrule.yara malcode/malware.exe
  1403.  
  1404. mkdir rules/
  1405.  
  1406. cd rules/
  1407.  
  1408. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  1409.  
  1410. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  1411.  
  1412. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  1413.  
  1414. cd ..
  1415.  
  1416. yara rules/ malcode/malware.exe
  1417.  
  1418. wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
  1419.  
  1420. unzip master.zip
  1421.  
  1422. cd YaraGenerator-master/
  1423.  
  1424. python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
  1425.  
  1426. cat Test-Rule-2.yar
  1427.  
  1428. wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  1429.  
  1430. yara Test-Rule-2.yar putty.exe
  1431.  
  1432.  
  1433.  
  1434.  
  1435. ####################
  1436. # Additional Tasks #
  1437. ####################
  1438.  
  1439. - PE Scanner:
  1440. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  1441. http://www.beenuarora.com/code/analyse_malware.py
  1442.  
  1443. - AV submission:
  1444. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1445. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  1446.  
  1447. - Malware Database Creation:
  1448. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1449.  
  1450.  
  1451.  
  1452.  
  1453. cd /home/malware/Desktop/Browser\ Forensics
  1454.  
  1455. ls | grep pcap
  1456.  
  1457. perl chaosreader.pl suspicious-time.pcap
  1458.  
  1459. firefox index.html
  1460.  
  1461. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1462.  
  1463. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1464.  
  1465. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs  
  1466.  
  1467.  
  1468.  
  1469.  
  1470. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
  1471.  
  1472.  
  1473. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1474.  
  1475.  
  1476. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1477.  
  1478.  
  1479. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1480.  
  1481.  
  1482. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  1483.  
  1484.  
  1485. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1486.  
  1487. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1488.  
  1489. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1490.  
  1491. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1492.  
  1493. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1494.  
  1495.  
  1496. whois rapidshare.com.eyu32.ru
  1497.  
  1498. whois sploitme.com.cn
  1499.  
  1500.  
  1501.  
  1502.  
  1503.  
  1504. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1505.  
  1506. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1507.  
  1508. tshark -r suspicious-time.pcap -qz http_req,tree
  1509.  
  1510. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1511.  
  1512. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1513.  
  1514.  
  1515.  
  1516.  
  1517.  
  1518. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  1519.  
  1520. python volatility
  1521. python volatility pslist -f ../hn_forensics.vmem
  1522. python volatility connscan2 -f ../hn_forensics.vmem
  1523. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  1524. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  1525.                                 ***Takes a few min***
  1526. strings 1752.dmp | grep "^http://" | sort | uniq
  1527. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1528. cd ..
  1529. cd foremost-1.5.7/
  1530. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  1531. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  1532. cat audit.txt
  1533. cd pdf
  1534. ls
  1535. grep -i javascript *.pdf
  1536.  
  1537.  
  1538.  
  1539. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  1540. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1541. unzip pdf-parser_V0_6_4.zip
  1542. python pdf-parser.py -s javascript --raw 00600328.pdf
  1543. python pdf-parser.py --object 11 00600328.pdf
  1544. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  1545.  
  1546. cat malicious.js
  1547.  
  1548.  
  1549. *****Sorry - no time to cover javascript de-obfuscation today*****
  1550.  
  1551.  
  1552. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  1553. python volatility files -f ../hn_forensics.vmem > files
  1554. cat files | less
  1555. python volatility malfind -f ../hn_forensics.vmem -d out
  1556. ls out/
  1557. python volatility hivescan -f ../hn_forensics.vmem                                                                    
  1558. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1559. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top