SHARE
TWEET

autoweb.sh

BLTSEC Apr 16th, 2019 (edited) 102 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #! /bin/bash
  2. echo ""
  3. echo "********************************"
  4. echo "*           AutoWeb            *"
  5. echo "*    Automated Weblog Triage   *"
  6. echo "*          Version 2           *"
  7. echo "*                              *"
  8. echo "*           by Michael Leclair *"
  9. echo "********************************"
  10. echo ""
  11. echo "Script to autorun weblog triage searches"
  12. echo ""
  13. echo "Runs commonly used grep & regex commands for incident response fast triage methodologies"
  14. echo "Automatic post-processing on some results is built in to faciliate frequency analysis"
  15. echo ""
  16. echo ""
  17. echo "Usage: ./autoweb.sh <weblog directory> "
  18. echo ""
  19. echo "Example: ./autoweb.sh logs/ "
  20. echo ""
  21. echo""
  22. read -p "Press [Enter] key to start AutoWeb"
  23. clear
  24. echo""
  25. # Start of AutoWeb script
  26. echo "****************************"
  27. echo "*  AutoWeb script started  *"
  28. echo "****************************"
  29. echo ""
  30. exec 2>/dev/null
  31. mkdir autoweb_results
  32. results=autoweb_results
  33. #
  34. echo  "Custom IOC search started"
  35. grep -h -E -r -i -f iocs.txt -r $1 > $results/custom_ioc_search.txt
  36. echo ">>> Custom IOC search completed"
  37. echo ""
  38. echo  "IP frequency searches started"
  39. grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/ip_search.txt
  40. # IP only lists for open source intelligence searches
  41. grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | sort | uniq | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > $results/ips_for_osint_check_all.txt
  42. grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | sort | uniq | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -h -E -o -v "(^127\.0\.0\.1)|(^192\.168)|(^10\.)|(^172\.1[6-9])|(^172\.2[0-9])|(^172\.3[0-1])" > $results/ips_for_osint_check_external_only.txt
  43. echo ">>> IP frequency searches completed"
  44. echo ""
  45. echo  "HTTP request method search started"
  46. grep -h -r -E -i -o "(get|post|connect|put|patch|delete|head|options|trace)" $1 | grep -h -E -i -o "(get|post|connect|put|patch|delete|head|options|trace)" | sort | uniq -c | sort -n > $results/http_methods.txt
  47. echo ">>> HTTP request method search completed"
  48. echo ""
  49. echo "SQLi attack pattern searches started"
  50. # basic keyword search
  51. grep -h -r -E -i "(select|union|1=1|join|inner)" $1 > $results/sqli_search_basic.txt
  52. # MS SQL Server Pivoting off of exec sp or xp
  53. grep -h -r -E -i "/exec(\s|\+)+(s|x)p\w+/ix" $1 > $results/sqli_search_mssql.txt
  54. # better keyword search using single quote or hex equivalent followed by keywords
  55. grep -h -r -E -i "/((\%27)|(\'))(union|select|inner|join|drop|update|insert)/ix" $1 > $results/sqli_search_keyword.txt
  56. # Search pivoting off of keyword "or" preceded by a single quote for its hex equivalent
  57. grep -h -r -E -i "/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix" $1 > $results/sqli_search_typical.txt
  58. # Search pivoting off of a single quote,doible dash or hash symbol or their hex equivalents
  59. grep -h -r -E -i "/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix" $1 > $results/sqli_search_metachar_1.txt
  60. # Search pivoting off of an equal sign, single quote, double dash or semicolon or there hexa Quillivant
  61. grep -h -r -E -i "/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i" $1 > $results/sqli_search_metachar_2.txt
  62. echo ">>> SQLi attack pattern searches completed"
  63. echo ""
  64. echo "Web shell attack pattern searches started"
  65. grep -h -E -i -r "\.(jsp|asp|aspx|js|php|cfm)" $1 | grep -h -E -i -o "(\/|\\\)[a-z0-9 -_]{1,15}\.(jsp|asp|aspx|js|php|cfm)" | sort | uniq -c | sort -n > $results/webshell_search_1.txt
  66. grep -h -E -i -r "\.(jsp|asp|aspx|js|php|cfm)" $1 | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/webshell_search_ip_freq.txt
  67. grep -h -E -i -r "(jspspy|%eval)" $1 > $results/webshell_search_2.txt
  68. # The following searches are repeat of the above three searches but only focused on records with "post" requests
  69. grep -h -E -i -r post $1 | grep -h -E -i "\.(jsp|asp|aspx|js|php|cfm)" | grep -h -E -i -o "(\/|\\\)[a-z0-9 -_]{1,15}\.(jsp|asp|aspx|js|php|cfm)" | sort | uniq -c | sort -n > $results/webshell_search_1_postonly.txt
  70. grep -h -E -i -r post $1 | grep -h -E -i "\.(jsp|asp|aspx|js|php|cfm)" | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/webshell_search_ip_freq_postonly.txt
  71. grep -h -E -i -r post $1 | grep -h -E -i "(jspspy|%eval)" > $results/webshell_search_2_postonly.txt
  72. echo ">>> Web shell attack pattern searches completed"
  73. echo ""
  74. echo "XSS attack pattern searches started"
  75. # Simple search
  76. grep -h -E -r -i "<script>" $1 > $results/xss_search_widenet.txt
  77. # Search pivoting off of opening and closing bracket or their hex equivalents
  78. grep -h -E -r -i "/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix" $1 > $results/xss_search_simple.txt
  79. # Search Pivoting off of "<img src"
  80. grep -h -E -r -i "/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I" $1 > $results/xss_search_imgsrc.txt
  81. # More encompassing search pivoting off of opening and closing bracket or their hex equivalents
  82. grep -h -E -r -i "/((\%3C)|<)[^\n]+((\%3E)|>)/I" $1 > $results/xss_search_paranoid.txt
  83. echo ">>> XSS attack pattern searches completed"
  84. echo ""
  85. echo "base64 attack pattern search started"
  86. grep -h -E -i -r "[a-z0-9+/]+={1,2}" $1 > $results/base64_search.txt
  87. echo ">>> base64 attack pattern search completed"
  88. echo ""
  89. echo "Directory Traversal attack pattern search started"
  90. grep -h -E -r "(\/\.\/|\/\.\.\/)" $1 > $results/directory_traversal_search.txt
  91. echo ">>> Directory Traversal attack pattern search completed"
  92. echo ""
  93. echo "Encoding attack pattern search started"
  94. grep -h -E -i -r "(%[a-f0-9]{2}%)" $1 > $results/encoding_search.txt
  95. echo ">>> Encoding attack pattern search completed"
  96. echo ""
  97. echo "Long URL attack pattern search started"
  98. grep -h -E -i -o -r "(\/|\.)([a-z0-9-]{30,75})(\/|\.)" $1 | grep -h -E -i -o "(\/|\.)([a-z0-9-]{30,75})(\/|\.)" | sort | uniq -c | sort -n > $results/long_url_search.txt
  99. echo ">>> Long URL attack pattern search completed"
  100. echo ""
  101. echo "Archiving results"
  102. zip -r autoweb_results.zip $results
  103. echo ">>>>> AutoWeb Searches completed <<<<<"
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top