Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #! /bin/bash
- echo ""
- echo "********************************"
- echo "* AutoWeb *"
- echo "* Automated Weblog Triage *"
- echo "* Version 2 *"
- echo "* *"
- echo "* by Michael Leclair *"
- echo "********************************"
- echo ""
- echo "Script to autorun weblog triage searches"
- echo ""
- echo "Runs commonly used grep & regex commands for incident response fast triage methodologies"
- echo "Automatic post-processing on some results is built in to faciliate frequency analysis"
- echo ""
- echo ""
- echo "Usage: ./autoweb.sh <weblog directory> "
- echo ""
- echo "Example: ./autoweb.sh logs/ "
- echo ""
- echo""
- read -p "Press [Enter] key to start AutoWeb"
- clear
- echo""
- # Start of AutoWeb script
- echo "****************************"
- echo "* AutoWeb script started *"
- echo "****************************"
- echo ""
- exec 2>/dev/null
- mkdir autoweb_results
- results=autoweb_results
- #
- echo "Custom IOC search started"
- grep -h -E -r -i -f iocs.txt -r $1 > $results/custom_ioc_search.txt
- echo ">>> Custom IOC search completed"
- echo ""
- echo "IP frequency searches started"
- grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/ip_search.txt
- # IP only lists for open source intelligence searches
- grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | sort | uniq | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" > $results/ips_for_osint_check_all.txt
- grep -h -E -r -o "([0-9]{1,3}\.){3}[0-9]{1,3}" $1 | sort | uniq | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | grep -h -E -o -v "(^127\.0\.0\.1)|(^192\.168)|(^10\.)|(^172\.1[6-9])|(^172\.2[0-9])|(^172\.3[0-1])" > $results/ips_for_osint_check_external_only.txt
- echo ">>> IP frequency searches completed"
- echo ""
- echo "HTTP request method search started"
- grep -h -r -E -i -o "(get|post|connect|put|patch|delete|head|options|trace)" $1 | grep -h -E -i -o "(get|post|connect|put|patch|delete|head|options|trace)" | sort | uniq -c | sort -n > $results/http_methods.txt
- echo ">>> HTTP request method search completed"
- echo ""
- echo "SQLi attack pattern searches started"
- # basic keyword search
- grep -h -r -E -i "(select|union|1=1|join|inner)" $1 > $results/sqli_search_basic.txt
- # MS SQL Server Pivoting off of exec sp or xp
- grep -h -r -E -i "/exec(\s|\+)+(s|x)p\w+/ix" $1 > $results/sqli_search_mssql.txt
- # better keyword search using single quote or hex equivalent followed by keywords
- grep -h -r -E -i "/((\%27)|(\'))(union|select|inner|join|drop|update|insert)/ix" $1 > $results/sqli_search_keyword.txt
- # Search pivoting off of keyword "or" preceded by a single quote for its hex equivalent
- grep -h -r -E -i "/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix" $1 > $results/sqli_search_typical.txt
- # Search pivoting off of a single quote,doible dash or hash symbol or their hex equivalents
- grep -h -r -E -i "/(\%27)|(\')|(\-\-)|(\%23)|(#)/ix" $1 > $results/sqli_search_metachar_1.txt
- # Search pivoting off of an equal sign, single quote, double dash or semicolon or there hexa Quillivant
- grep -h -r -E -i "/((\%3D)|(=))[^\n]*((\%27)|(\')|(\-\-)|(\%3B)|(;))/i" $1 > $results/sqli_search_metachar_2.txt
- echo ">>> SQLi attack pattern searches completed"
- echo ""
- echo "Web shell attack pattern searches started"
- grep -h -E -i -r "\.(jsp|asp|aspx|js|php|cfm)" $1 | grep -h -E -i -o "(\/|\\\)[a-z0-9 -_]{1,15}\.(jsp|asp|aspx|js|php|cfm)" | sort | uniq -c | sort -n > $results/webshell_search_1.txt
- grep -h -E -i -r "\.(jsp|asp|aspx|js|php|cfm)" $1 | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/webshell_search_ip_freq.txt
- grep -h -E -i -r "(jspspy|%eval)" $1 > $results/webshell_search_2.txt
- # The following searches are repeat of the above three searches but only focused on records with "post" requests
- grep -h -E -i -r post $1 | grep -h -E -i "\.(jsp|asp|aspx|js|php|cfm)" | grep -h -E -i -o "(\/|\\\)[a-z0-9 -_]{1,15}\.(jsp|asp|aspx|js|php|cfm)" | sort | uniq -c | sort -n > $results/webshell_search_1_postonly.txt
- grep -h -E -i -r post $1 | grep -h -E -i "\.(jsp|asp|aspx|js|php|cfm)" | grep -h -E -o "([0-9]{1,3}\.){3}[0-9]{1,3}" | sort | uniq -c | sort -n > $results/webshell_search_ip_freq_postonly.txt
- grep -h -E -i -r post $1 | grep -h -E -i "(jspspy|%eval)" > $results/webshell_search_2_postonly.txt
- echo ">>> Web shell attack pattern searches completed"
- echo ""
- echo "XSS attack pattern searches started"
- # Simple search
- grep -h -E -r -i "<script>" $1 > $results/xss_search_widenet.txt
- # Search pivoting off of opening and closing bracket or their hex equivalents
- grep -h -E -r -i "/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/ix" $1 > $results/xss_search_simple.txt
- # Search Pivoting off of "<img src"
- grep -h -E -r -i "/((\%3C)|<)((\%69)|i|(\%49))((\%6D)|m|(\%4D))((\%67)|g|(\%47))[^\n]+((\%3E)|>)/I" $1 > $results/xss_search_imgsrc.txt
- # More encompassing search pivoting off of opening and closing bracket or their hex equivalents
- grep -h -E -r -i "/((\%3C)|<)[^\n]+((\%3E)|>)/I" $1 > $results/xss_search_paranoid.txt
- echo ">>> XSS attack pattern searches completed"
- echo ""
- echo "base64 attack pattern search started"
- grep -h -E -i -r "[a-z0-9+/]+={1,2}" $1 > $results/base64_search.txt
- echo ">>> base64 attack pattern search completed"
- echo ""
- echo "Directory Traversal attack pattern search started"
- grep -h -E -r "(\/\.\/|\/\.\.\/)" $1 > $results/directory_traversal_search.txt
- echo ">>> Directory Traversal attack pattern search completed"
- echo ""
- echo "Encoding attack pattern search started"
- grep -h -E -i -r "(%[a-f0-9]{2}%)" $1 > $results/encoding_search.txt
- echo ">>> Encoding attack pattern search completed"
- echo ""
- echo "Long URL attack pattern search started"
- grep -h -E -i -o -r "(\/|\.)([a-z0-9-]{30,75})(\/|\.)" $1 | grep -h -E -i -o "(\/|\.)([a-z0-9-]{30,75})(\/|\.)" | sort | uniq -c | sort -n > $results/long_url_search.txt
- echo ">>> Long URL attack pattern search completed"
- echo ""
- echo "Archiving results"
- zip -r autoweb_results.zip $results
- echo ">>>>> AutoWeb Searches completed <<<<<"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement