BLTSEC

autoweb.sh

Apr 16th, 2019
134
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #! /bin/bash
  2. echo ""
  3. echo "********************************"
  4. echo "*           AutoWeb            *"
  5. echo "*    Automated Weblog Triage   *"
  6. echo "*          Version 2           *"
  7. echo "*                              *"
  8. echo "*           by Michael Leclair *"
  9. echo "********************************"
  10. echo ""
  11. echo "Script to autorun weblog triage searches"
  12. echo ""
  13. echo "Runs commonly used grep & regex commands for incident response fast triage methodologies"
  14. echo "Automatic post-processing on some results is built in to faciliate frequency analysis"
  15. echo ""
  16. echo ""
  17. echo "Usage: ./autoweb.sh <weblog directory> "
  18. echo ""
  19. echo "Example: ./autoweb.sh logs/ "
  20. echo ""
  21. echo""
  22. read -p "Press [Enter] key to start AutoWeb"
  23. clear
  24. echo""
  25. # Start of AutoWeb script
  26. echo "****************************"
  27. echo "*  AutoWeb script started  *"
  28. echo "****************************"
  29. echo ""
  30. exec 2>/dev/null
  31. mkdir autoweb_results
  32. results=autoweb_results
  33. #
  34. echo  "Custom IOC search started"
  35. grep -h -E -r -i -f iocs.txt -r $1 > $results/custom_ioc_search.txt
  36. echo ">>> Custom IOC search completed"
  37. echo ""
  38. echo  "IP frequency searches started"
  39. grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/ip_search.txt
  40. # IP only lists for open source intelligence searches
  41. grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | sort | uniq | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > $results/ips_for_osint_check_all.txt
  42. grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | sort | uniq | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -h -E -o -v "(^127\.0\.0\.1)|(^192\.168)|(^10\.)|(^172\.1[6-9])|(^172\.2[0-9])|(^172\.3[0-1])" > $results/ips_for_osint_check_external_only.txt
  43. echo ">>> IP frequency searches completed"
  44. echo ""
  45. echo  "HTTP request method search started"
  46. grep -h -r -E -i -o "(get|post|connect|put|patch|delete|head|options|trace)" $1 | grep -h -E -i -o "(get|post|connect|put|patch|delete|head|options|trace)" | sort | uniq -c | sort -n > $results/http_methods.txt
  47. echo ">>> HTTP request method search completed"
  48. echo ""
  49. echo "SQLi attack pattern searches started"
  50. # basic keyword search
  51. grep -h -r -E -i "(select|union|1=1|join|inner)" $1 > $results/sqli_search_basic.txt
  52. # MS SQL Server Pivoting off of exec sp or xp
  53. grep -h -r -E -i "/exec(\s|\+)+(s|x)p\w+/ix" $1 > $results/sqli_search_mssql.txt
  54. # better keyword search using single quote or hex equivalent followed by keywords
  55. grep -h -r -E -i "/((\%27)|(\'))(union|select|inner|join|drop|update|insert)/ix" $1 > $results/sqli_search_keyword.txt
  56. # Search pivoting off of keyword "or" preceded by a single quote for its hex equivalent
  57. grep -h -r -E -i "/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix" $1 > $results/sqli_search_typical.txt
  58. # Search pivoting off of a single quote,doible dash or hash symbol or their hex equivalents
  59. grep -h -r -E -i "/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix" $1 > $results/sqli_search_metachar_1.txt
  60. # Search pivoting off of an equal sign, single quote, double dash or semicolon or there hexa Quillivant
  61. grep -h -r -E -i "/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i" $1 > $results/sqli_search_metachar_2.txt
  62. echo ">>> SQLi attack pattern searches completed"
  63. echo ""
  64. echo "Web shell attack pattern searches started"
  65. grep -h -E -i -r "\.(jsp|asp|aspx|js|php|cfm)" $1 | grep -h -E -i -o "(\/|\\\)[a-z0-9 -_]{1,15}\.(jsp|asp|aspx|js|php|cfm)" | sort | uniq -c | sort -n > $results/webshell_search_1.txt
  66. grep -h -E -i -r "\.(jsp|asp|aspx|js|php|cfm)" $1 | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/webshell_search_ip_freq.txt
  67. grep -h -E -i -r "(jspspy|%eval)" $1 > $results/webshell_search_2.txt
  68. # The following searches are repeat of the above three searches but only focused on records with "post" requests
  69. grep -h -E -i -r post $1 | grep -h -E -i "\.(jsp|asp|aspx|js|php|cfm)" | grep -h -E -i -o "(\/|\\\)[a-z0-9 -_]{1,15}\.(jsp|asp|aspx|js|php|cfm)" | sort | uniq -c | sort -n > $results/webshell_search_1_postonly.txt
  70. grep -h -E -i -r post $1 | grep -h -E -i "\.(jsp|asp|aspx|js|php|cfm)" | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/webshell_search_ip_freq_postonly.txt
  71. grep -h -E -i -r post $1 | grep -h -E -i "(jspspy|%eval)" > $results/webshell_search_2_postonly.txt
  72. echo ">>> Web shell attack pattern searches completed"
  73. echo ""
  74. echo "XSS attack pattern searches started"
  75. # Simple search
  76. grep -h -E -r -i "<script>" $1 > $results/xss_search_widenet.txt
  77. # Search pivoting off of opening and closing bracket or their hex equivalents
  78. grep -h -E -r -i "/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix" $1 > $results/xss_search_simple.txt
  79. # Search Pivoting off of "<img src"
  80. grep -h -E -r -i "/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I" $1 > $results/xss_search_imgsrc.txt
  81. # More encompassing search pivoting off of opening and closing bracket or their hex equivalents
  82. grep -h -E -r -i "/((\%3C)|<)[^\n]+((\%3E)|>)/I" $1 > $results/xss_search_paranoid.txt
  83. echo ">>> XSS attack pattern searches completed"
  84. echo ""
  85. echo "base64 attack pattern search started"
  86. grep -h -E -i -r "[a-z0-9+/]+={1,2}" $1 > $results/base64_search.txt
  87. echo ">>> base64 attack pattern search completed"
  88. echo ""
  89. echo "Directory Traversal attack pattern search started"
  90. grep -h -E -r "(\/\.\/|\/\.\.\/)" $1 > $results/directory_traversal_search.txt
  91. echo ">>> Directory Traversal attack pattern search completed"
  92. echo ""
  93. echo "Encoding attack pattern search started"
  94. grep -h -E -i -r "(%[a-f0-9]{2}%)" $1 > $results/encoding_search.txt
  95. echo ">>> Encoding attack pattern search completed"
  96. echo ""
  97. echo "Long URL attack pattern search started"
  98. grep -h -E -i -o -r "(\/|\.)([a-z0-9-]{30,75})(\/|\.)" $1 | grep -h -E -i -o "(\/|\.)([a-z0-9-]{30,75})(\/|\.)" | sort | uniq -c | sort -n > $results/long_url_search.txt
  99. echo ">>> Long URL attack pattern search completed"
  100. echo ""
  101. echo "Archiving results"
  102. zip -r autoweb_results.zip $results
  103. echo ">>>>> AutoWeb Searches completed <<<<<"
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×