SHARE
TWEET

Untitled

djtroby May 31st, 2017 79 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ##############################
  2. # Linux For InfoSec Pros     #
  3. # By Joe McCray              #
  4. ##############################
  5.  
  6. Here is the download link for the video of the morning session:
  7. https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-9_233534_recording.mp4
  8.  
  9. Here is the download link for the video of the afternoon session:
  10. https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-4_233632_recording.mp4
  11.  
  12.  
  13.  
  14. ##########
  15. # VMWare #
  16. ##########
  17. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  18.  
  19. - A 30-day trial of Workstation 11 can be downloaded from here:
  20. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0
  21.  
  22. - A 30-day trial of Fusion 7 can be downloaded from here:
  23. - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0
  24.  
  25. - The newest version of VMWare Player can be downloaded from here:
  26. - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0
  27.  
  28.  
  29. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  30.  
  31.  
  32. ##########################
  33. # Download the attack VM #
  34. ##########################
  35. https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
  36. user: strategicsec
  37. pass: strategicsec
  38.  
  39. Here is a good set of slides for getting started with Linux:
  40. http://www.slideshare.net/olafusimichael/linux-training-24086319
  41.  
  42.  
  43.  
  44. ########################################
  45. # Boot up the StrategicSec Ubuntu host #
  46. # You can also boot up the Win7 as well#
  47. ########################################
  48.  
  49. - Log in to your Ubuntu host with the following credentials:
  50.     user: strategicsec
  51.     pass: strategicsec
  52.  
  53.  
  54.  
  55. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  56. - You can download Putty from here:
  57. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  58.  
  59.  
  60. - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
  61.  
  62.  
  63.  
  64. ########################
  65. # Basic Linux Commands #
  66. ########################
  67.  
  68. pwd
  69.  
  70. whereis pwd
  71.  
  72. which pwd
  73.  
  74. sudo find / -name pwd
  75.  
  76. /bin/pwd
  77.  
  78. mkdir test
  79.  
  80. cd test
  81.  
  82. touch one two three
  83.  
  84. ls -l t     (without pressing the Enter key, press the Tab key twice. What happens?)
  85.  
  86. h       (and again without pressing the Enter key, press the Tab key twice. What happens?)
  87.  
  88. Press the 'Up arrow key'    (What happens?)
  89.  
  90. Press 'Ctrl-A'          (What happens?)
  91.  
  92. ls
  93.  
  94. clear               (What happens?)
  95.  
  96. echo one > one
  97.  
  98. cat one             (What happens?)
  99.  
  100. man cat             (What happens?)
  101.     q
  102.  
  103. cat two
  104.  
  105. cat one > two
  106.  
  107. cat two
  108.  
  109. cat one two > three
  110.  
  111. cat three
  112.  
  113. echo four >> three
  114.  
  115. cat three           (What happens?)
  116.  
  117. wc -l three
  118.  
  119. man wc
  120.     q
  121.  
  122. cat three | grep four
  123.  
  124. cat three | grep one
  125.  
  126. man grep
  127.     q
  128.  
  129.  
  130. sudo grep eth[01] /etc/*    (What happens?)
  131.  
  132. cat /etc/iftab
  133.  
  134.  
  135. man ps
  136.     q
  137.  
  138. ps
  139.  
  140. ps aux
  141.  
  142. ps aux | less
  143.  
  144. Press the 'Up arrow key'    (What happens?)
  145.  
  146. Press the 'Down arrow key'  (What happens?)
  147.     q
  148.  
  149. top
  150.  
  151.  
  152. #########################################################################
  153. # What kind of Linux am I on and how can I find out?            #
  154. # Great reference:                          #
  155. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/    #
  156. #########################################################################
  157. What’s the distribution type? What version?
  158. -------------------------------------------
  159. cat /etc/issue
  160. cat /etc/*-release
  161. cat /etc/lsb-release            # Debian based
  162. cat /etc/redhat-release         # Redhat based
  163.  
  164.  
  165.  
  166. What’s the kernel version? Is it 64-bit?
  167. -------------------------------------------
  168. cat /proc/version
  169. uname -a
  170. uname -mrs
  171. rpm -q kernel
  172. dmesg | grep Linux
  173. ls /boot | grep vmlinuz-
  174.  
  175.  
  176.  
  177. What can be learnt from the environmental variables?
  178. ----------------------------------------------------
  179. cat /etc/profile
  180. cat /etc/bashrc
  181. cat ~/.bash_profile
  182. cat ~/.bashrc
  183. cat ~/.bash_logout
  184. env
  185. set
  186.  
  187.  
  188. What services are running? Which service has which user privilege?
  189. ------------------------------------------------------------------
  190. ps aux
  191. ps -ef
  192. top
  193. cat /etc/services
  194.  
  195.  
  196. Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  197. ---------------------------------------------------------------------------------------------------------------
  198. ps aux | grep root
  199. ps -ef | grep root
  200.  
  201.  
  202.  
  203. What applications are installed? What version are they? Are they currently running?
  204. ------------------------------------------------------------------------------------
  205. ls -alh /usr/bin/
  206. ls -alh /sbin/
  207. dpkg -l
  208. dpkg --get-selections | grep -v deinstall
  209. rpm -qa
  210. ls -alh /var/cache/apt/archives
  211. ls -alh /var/cache/yum/
  212.  
  213.  
  214. Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  215. ------------------------------------------------------------------------------------
  216. cat /etc/syslog.conf
  217. cat /etc/chttp.conf
  218. cat /etc/lighttpd.conf
  219. cat /etc/cups/cupsd.conf
  220. cat /etc/inetd.conf
  221. cat /etc/apache2/apache2.conf
  222. cat /etc/my.conf
  223. cat /etc/httpd/conf/httpd.conf
  224. cat /opt/lampp/etc/httpd.conf
  225. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
  226.  
  227.  
  228.  
  229. What jobs are scheduled?
  230. ------------------------
  231. crontab -l
  232. ls -alh /var/spool/cron
  233. ls -al /etc/ | grep cron
  234. ls -al /etc/cron*
  235. cat /etc/cron*
  236. cat /etc/at.allow
  237. cat /etc/at.deny
  238. cat /etc/cron.allow
  239. cat /etc/cron.deny
  240. cat /etc/crontab
  241. cat /etc/anacrontab
  242. cat /var/spool/cron/crontabs/root
  243.  
  244.  
  245. Any plain text usernames and/or passwords?
  246. ------------------------------------------
  247. grep -i user [filename]
  248. grep -i pass [filename]
  249. grep -C 5 "password" [filename]
  250. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"          # Search for Joomla passwords
  251.  
  252.  
  253. What NIC(s) does the system have? Is it connected to another network?
  254. ---------------------------------------------------------------------
  255. /sbin/ifconfig -a
  256. cat /etc/network/interfaces
  257. cat /etc/sysconfig/network
  258.  
  259.  
  260. What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  261. ------------------------------------------------------------------------------------------------------------------------
  262. cat /etc/resolv.conf
  263. cat /etc/sysconfig/network
  264. cat /etc/networks
  265. iptables -L
  266. hostname
  267. dnsdomainname
  268.  
  269. What other users & hosts are communicating with the system?
  270. -----------------------------------------------------------
  271. lsof -i
  272. lsof -i :80
  273. grep 80 /etc/services
  274. netstat -antup
  275. netstat -antpx
  276. netstat -tulpn
  277. chkconfig --list
  278. chkconfig --list | grep 3:on
  279. last
  280. w
  281.  
  282.  
  283.  
  284. Whats cached? IP and/or MAC addresses
  285. -------------------------------------
  286. arp -e
  287. route
  288. /sbin/route -nee
  289.  
  290.  
  291. Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  292. ------------------------------------------------------------------------------------------
  293. id
  294. who
  295. w
  296. last
  297. cat /etc/passwd | cut -d:    # List of users
  298. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
  299. awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
  300. cat /etc/sudoers
  301. sudo -l
  302.  
  303.  
  304.  
  305. What sensitive files can be found?
  306. ----------------------------------
  307. cat /etc/passwd
  308. cat /etc/group
  309. cat /etc/shadow
  310. ls -alh /var/mail/
  311.  
  312.  
  313.  
  314. Anything “interesting” in the home directorie(s)? If it’s possible to access
  315. ----------------------------------------------------------------------------
  316. ls -ahlR /root/
  317. ls -ahlR /home/
  318.  
  319.  
  320. Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  321. ---------------------------------------------------------------------------------------------------------------------------
  322. cat /var/apache2/config.inc
  323. cat /var/lib/mysql/mysql/user.MYD
  324. cat /root/anaconda-ks.cfg
  325.  
  326.  
  327. What has the user being doing? Is there any password in plain text? What have they been edting?
  328. -----------------------------------------------------------------------------------------------
  329. cat ~/.bash_history
  330. cat ~/.nano_history
  331. cat ~/.atftp_history
  332. cat ~/.mysql_history
  333. cat ~/.php_history
  334.  
  335.  
  336.  
  337. What user information can be found?
  338. -----------------------------------
  339. cat ~/.bashrc
  340. cat ~/.profile
  341. cat /var/mail/root
  342. cat /var/spool/mail/root
  343.  
  344.  
  345. Can private-key information be found?
  346. -------------------------------------
  347. cat ~/.ssh/authorized_keys
  348. cat ~/.ssh/identity.pub
  349. cat ~/.ssh/identity
  350. cat ~/.ssh/id_rsa.pub
  351. cat ~/.ssh/id_rsa
  352. cat ~/.ssh/id_dsa.pub
  353. cat ~/.ssh/id_dsa
  354. cat /etc/ssh/ssh_config
  355. cat /etc/ssh/sshd_config
  356. cat /etc/ssh/ssh_host_dsa_key.pub
  357. cat /etc/ssh/ssh_host_dsa_key
  358. cat /etc/ssh/ssh_host_rsa_key.pub
  359. cat /etc/ssh/ssh_host_rsa_key
  360. cat /etc/ssh/ssh_host_key.pub
  361. cat /etc/ssh/ssh_host_key
  362.  
  363.  
  364. Any settings/files (hidden) on website? Any settings file with database information?
  365. ------------------------------------------------------------------------------------
  366. ls -alhR /var/www/
  367. ls -alhR /srv/www/htdocs/
  368. ls -alhR /usr/local/www/apache22/data/
  369. ls -alhR /opt/lampp/htdocs/
  370. ls -alhR /var/www/html/
  371.  
  372.  
  373. Is there anything in the log file(s) (Could help with “Local File Includes”!)
  374. -----------------------------------------------------------------------------
  375. cat /etc/httpd/logs/access_log
  376. cat /etc/httpd/logs/access.log
  377. cat /etc/httpd/logs/error_log
  378. cat /etc/httpd/logs/error.log
  379. cat /var/log/apache2/access_log
  380. cat /var/log/apache2/access.log
  381. cat /var/log/apache2/error_log
  382. cat /var/log/apache2/error.log
  383. cat /var/log/apache/access_log
  384. cat /var/log/apache/access.log
  385. cat /var/log/auth.log
  386. cat /var/log/chttp.log
  387. cat /var/log/cups/error_log
  388. cat /var/log/dpkg.log
  389. cat /var/log/faillog
  390. cat /var/log/httpd/access_log
  391. cat /var/log/httpd/access.log
  392. cat /var/log/httpd/error_log
  393. cat /var/log/httpd/error.log
  394. cat /var/log/lastlog
  395. cat /var/log/lighttpd/access.log
  396. cat /var/log/lighttpd/error.log
  397. cat /var/log/lighttpd/lighttpd.access.log
  398. cat /var/log/lighttpd/lighttpd.error.log
  399. cat /var/log/messages
  400. cat /var/log/secure
  401. cat /var/log/syslog
  402. cat /var/log/wtmp
  403. cat /var/log/xferlog
  404. cat /var/log/yum.log
  405. cat /var/run/utmp
  406. cat /var/webmin/miniserv.log
  407. cat /var/www/logs/access_log
  408. cat /var/www/logs/access.log
  409. ls -alh /var/lib/dhcp3/
  410. ls -alh /var/log/postgresql/
  411. ls -alh /var/log/proftpd/
  412. ls -alh /var/log/samba/
  413.  
  414. Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  415.  
  416.  
  417. ###########################
  418. # Target IP Determination #
  419. ###########################
  420. - This portion starts the actual workshop content
  421. - Zone Transfer fails on most domains, but here is an example of one that works:
  422. dig axfr heartinternet.co.uk  @ns.heartinternet.co.uk
  423.  
  424.  
  425. - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce
  426. perl blindcrawl.pl -d motorola.com
  427.     Look up the IP addresses at:
  428.     http://www.networksolutions.com/whois/index.jsp
  429.  
  430.  
  431. - Note: If you are on a different machine and need to download blindcrawl can you download it this way:
  432. wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  433. chmod +x blindcrawl.pl
  434.  
  435.  
  436.  
  437. cd ~/toolz/fierce2
  438. sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion
  439.     strategicsec
  440.  
  441.  
  442. - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM:
  443. svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/
  444.  
  445.  
  446. cd ~/toolz/fierce2
  447. wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz
  448. tar -zxvf Template-Toolkit-2.14.tar.gz
  449. cd Template-Toolkit-2.14/
  450. perl Makefile.PL
  451.     y
  452.     y
  453.     n
  454.     y
  455. sudo make install
  456.      strategicsec
  457.  
  458. cd ..
  459.  
  460. sudo bash install.sh
  461.      strategicsec
  462.  
  463. ./fierce
  464.  
  465. ./fierce -dns motorola.com
  466.  
  467. cd ~/toolz/
  468.  
  469. - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM:
  470. wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  471. gcc -o ipcrawl ipcrawl.c
  472. chmod +x ipcrawl
  473.  
  474.  
  475.  
  476. - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is
  477. cd ~/toolz/
  478. ./ipcrawl 148.87.1.1 148.87.1.254               (DNS forward lookup against an IP range)
  479.  
  480.  
  481. sudo nmap -sL 148.87.1.0-255
  482.      strategicsec
  483.  
  484. sudo nmap -sL 148.87.1.0-255 | grep oracle
  485.      strategicsec
  486.  
  487. - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html
  488. sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254
  489.      strategicsec
  490.    
  491.  
  492.  
  493.  
  494. ###########################
  495. # Load Balancer Detection #
  496. ###########################
  497.  
  498. - Here are some options to use for identifying load balancers:
  499.     - http://toolbar.netcraft.com/site_report/
  500.     - Firefox LiveHTTP Headers
  501.  
  502.  
  503. - Here are some command-line options to use for identifying load balancers:
  504.  
  505. dig google.com
  506.  
  507. cd ~/toolz
  508. ./lbd-0.1.sh google.com
  509.  
  510.  
  511. halberd microsoft.com
  512. halberd motorola.com
  513. halberd oracle.com
  514.  
  515.  
  516.  
  517.  
  518.  
  519. ######################################
  520. # Web Application Firewall Detection #
  521. ######################################
  522.  
  523. cd ~/toolz/wafw00f
  524. python wafw00f.py http://www.oracle.com
  525. python wafw00f.py http://www.strategicsec.com
  526.  
  527.  
  528. cd ~/toolz/
  529. sudo nmap -p 80 --script http-waf-detect.nse oracle.com
  530.      strategicsec
  531.  
  532. sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov
  533.      strategicsec
  534.  
  535.  
  536. #########################
  537. # Playing with Nmap NSE #
  538. #########################
  539.  
  540. nmap -Pn -p80 --script ip-geolocation-* strategicsec.com
  541.  
  542. nmap -p80 --script dns-brute strategicsec.com
  543.  
  544. nmap --script http-robtex-reverse-ip secore.info
  545.  
  546. nmap -Pn -p80 --script=http-headers strategicsec.com
  547.  
  548.  
  549. ls /usr/share/nmap/scripts | grep http
  550. nmap -Pn -p80 --script=http-* strategicsec.com
  551.  
  552. ############
  553. # Nmap NSE #
  554. ############
  555.  
  556. - Reference for this tutorial is:
  557. https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/
  558.  
  559. ----------------------------------------------------------------------
  560. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  561.      strategicsec
  562.  
  563.  
  564.  
  565. -- The Head Section --
  566. -- The Rule Section --
  567. portrule = function(host, port)
  568.     return port.protocol == "tcp"
  569.             and port.number == 80
  570.             and port.state == "open"
  571. end
  572.  
  573. -- The Action Section --
  574. action = function(host, port)
  575.     return "I love Linux!"
  576. end
  577. ----------------------------------------------------------------------
  578.  
  579. - Ok, now that we've made that change let's run the script
  580. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  581.  
  582.  
  583.  
  584.  
  585.  
  586.  
  587. ----------------------------------------------------------------------
  588. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  589.  
  590. -- The Head Section --
  591. local shortport = require "shortport"
  592.  
  593. -- The Rule Section --
  594. portrule = shortport.http
  595.  
  596.  
  597. -- The Action Section --
  598. action = function(host, port)
  599.     return "I still love Linux!"
  600. end
  601. ----------------------------------------------------------------------
  602.  
  603. - Ok, now that we've made that change let's run the script
  604. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443
  605.  
  606.  
  607.  
  608.  
  609.  
  610.  
  611.  
  612. OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working.
  613.  
  614. ----------------------------------------------------------------------
  615. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  616.  
  617. -- The Head Section --
  618. local shortport = require "shortport"
  619. local http = require "http"
  620.  
  621. -- The Rule Section --
  622. portrule = shortport.http
  623.  
  624. -- The Action Section --
  625. action = function(host, port)
  626.  
  627.     local uri = "/installing-metasploit-in-ubunt/"
  628.     local response = http.get(host, port, uri)
  629.     return response.status
  630.  
  631. end
  632. ----------------------------------------------------------------------
  633.  
  634. - Ok, now that we've made that change let's run the script
  635. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  636.  
  637.  
  638.  
  639.  
  640. ----------------------------------------------------------------------
  641. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  642.  
  643. -- The Head Section --
  644. local shortport = require "shortport"
  645. local http = require "http"
  646.  
  647. -- The Rule Section --
  648. portrule = shortport.http
  649.  
  650. -- The Action Section --
  651. action = function(host, port)
  652.  
  653.     local uri = "/installing-metasploit-in-ubunt/"
  654.     local response = http.get(host, port, uri)
  655.  
  656.     if ( response.status == 200 ) then
  657.         return response.body
  658.     end
  659.  
  660. end
  661. ----------------------------------------------------------------------
  662.  
  663. - Ok, now that we've made that change let's run the script
  664. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  665.  
  666.  
  667.  
  668.  
  669.  
  670.  
  671.  
  672.  
  673.  
  674. ----------------------------------------------------------------------
  675. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  676.  
  677. -- The Head Section --
  678. local shortport = require "shortport"
  679. local http = require "http"
  680. local string = require "string"
  681.  
  682. -- The Rule Section --
  683. portrule = shortport.http
  684.  
  685. -- The Action Section --
  686. action = function(host, port)
  687.  
  688.     local uri = "/installing-metasploit-in-ubunt/"
  689.     local response = http.get(host, port, uri)
  690.  
  691.     if ( response.status == 200 ) then
  692.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  693.         return title
  694.     end
  695.  
  696. end
  697. ----------------------------------------------------------------------
  698.  
  699. - Ok, now that we've made that change let's run the script
  700. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  701.  
  702.  
  703.  
  704.  
  705.  
  706.  
  707.  
  708. ----------------------------------------------------------------------
  709. sudo vi /usr/share/nmap/scripts/intro-nse.nse
  710.  
  711. -- The Head Section --
  712. local shortport = require "shortport"
  713. local http = require "http"
  714. local string = require "string"
  715.  
  716. -- The Rule Section --
  717. portrule = shortport.http
  718.  
  719. -- The Action Section --
  720. action = function(host, port)
  721.  
  722.     local uri = "/installing-metasploit-in-ubunt/"
  723.     local response = http.get(host, port, uri)
  724.  
  725.     if ( response.status == 200 ) then
  726.         local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian")
  727.  
  728.         if (title) then
  729.             return "Vulnerable"
  730.         else
  731.             return "Not Vulnerable"
  732.         end
  733.     end
  734. end
  735.  
  736. ----------------------------------------------------------------------
  737.  
  738. - Ok, now that we've made that change let's run the script
  739. sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443
  740.  
  741.  
  742.  
  743. ####################
  744. # Installing Scapy #
  745. ####################
  746.  
  747. sudo apt-get update
  748. sudo apt-get install python-scapy python-pyx python-gnuplot
  749.  
  750.  
  751. - Reference Page For All Of The Commands We Will Be Running:
  752. http://samsclass.info/124/proj11/proj17-scapy.html
  753.  
  754.  
  755.  
  756.  
  757.  
  758. - To run Scapy interactively
  759.  
  760.     sudo scapy
  761.  
  762.  
  763.  
  764. #####################################
  765. # Sending ICMPv4 Packets with scapy #
  766. #####################################
  767.  
  768. - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key:
  769.  
  770.     i = IP()
  771.  
  772.  
  773.  
  774.  
  775. - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command:
  776.  
  777.     i.display()
  778.  
  779.  
  780.  
  781.  
  782. - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine:
  783.  
  784.     i.dst="192.168.54.184"
  785.  
  786.     i.display()
  787.  
  788.  
  789.  
  790.  
  791. - Notice that scapy automatically fills in your machine's source IP address.
  792.  
  793. - Use these commands to create an object named ic of type ICMP and display its properties:
  794.  
  795.  
  796.     ic = ICMP()
  797.  
  798.     ic.display()
  799.  
  800.  
  801.  
  802.  
  803.  
  804. - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L:
  805.  
  806.     sr1(i/ic)
  807.  
  808.  
  809.  
  810.  
  811.  
  812. - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4.
  813.  
  814.  
  815. - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding.
  816.  
  817. - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name):
  818.  
  819.  
  820.     sr1(i/ic/"YOUR NAME")
  821.  
  822.  
  823. - You should see a reply with a Raw section containing your name.
  824.  
  825.  
  826.  
  827. ###################################
  828. # Sending a UDP Packet with Scapy #
  829. ###################################
  830.  
  831.  
  832. - Preparing the Target
  833. $ ncat -ulvp 4444
  834.  
  835.  
  836.  
  837.  
  838. --open another terminal--
  839. In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key:
  840.  
  841.     u = UDP()
  842.  
  843.     u.display()
  844.  
  845.  
  846.  
  847. - This creates an object named u of type UDP, and displays its properties.
  848.  
  849. - Execute these commands to change the destination port to 4444 and display the properties again:
  850.  
  851.     i.dst="192.168.54.184"              <--- replace this with a host that you can run netcat on (ex: another VM or your host computer)
  852.  
  853.     u.dport = 4444
  854.  
  855.     u.display()
  856.  
  857.  
  858.  
  859. - Execute this command to send the packet to the Windows machine:
  860.  
  861.     send(i/u/"YOUR NAME SENT VIA UDP\n")
  862.  
  863.  
  864.  
  865. - On the Windows target, you should see the message appear
  866.  
  867.  
  868. p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com")))
  869.  
  870.  
  871. p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443]))
  872.  
  873.  
  874. p=sr(IP(dst="192.168.230.2")/TCP(dport=[80]))
  875.  
  876.  
  877. traceroute (["strategicsec.com"], maxttl=20)
  878.     This is actually an ICMP & TCP traceroute, default destination is port 80
  879.  
  880.  
  881. traceroute (["strategicsec.com"], dport=443, maxttl=20)
  882.  
  883.  
  884.  
  885. ############################
  886. # Ping Sweeping with Scapy #
  887. ############################
  888.  
  889. ----------------------------------------------------------------------
  890. vi scapy-pingsweep.py
  891.  
  892.  
  893. #!/usr/bin/python
  894. from scapy.all import *
  895.  
  896. TIMEOUT = 2
  897. conf.verb = 0
  898. for ip in range(0, 256):
  899.     packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP()
  900.     reply = sr1(packet, timeout=TIMEOUT)
  901.     if not (reply is None):
  902.          print reply.dst, "is online"
  903.     else:
  904.          print "Timeout waiting for %s" % packet[IP].dst
  905. ----------------------------------------------------------------------
  906.  
  907.  
  908. ###############################################
  909. # Checking out some scapy based port scanners #
  910. ###############################################
  911.  
  912. wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py
  913.  
  914. cat rdp_scan.py
  915.  
  916. sudo python rdp_scan.py 192.168.1.250
  917.  
  918.  
  919.  
  920. Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
  921.  
  922. After logging please open a terminal window and type the following commands:
  923.  
  924. cd Desktop/
  925.  
  926.  
  927. This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  928.  
  929. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  930. wget http://www.beenuarora.com/code/analyse_malware.py
  931.  
  932. unzip malware-password-is-infected.zip
  933.         infected
  934.  
  935. file malware.exe
  936.  
  937. mv malware.exe malware.pdf
  938.  
  939. file malware.pdf
  940.  
  941. mv malware.pdf malware.exe
  942.  
  943. hexdump -n 2 -C malware.exe
  944.  
  945. ***What is '4d 5a' or 'MZ'***
  946. Reference: http://www.garykessler.net/library/file_sigs.html
  947.  
  948.  
  949. objdump -x malware.exe
  950.  
  951. strings malware.exe
  952.  
  953. strings --all malware.exe | head -n 6
  954.  
  955. strings malware.exe | grep -i dll
  956.  
  957. strings malware.exe | grep -i library
  958.  
  959. strings malware.exe | grep -i reg
  960.  
  961. strings malware.exe | grep -i hkey
  962.  
  963. strings malware.exe | grep -i hku
  964.  
  965.                                                         - We didn't see anything like HKLM, HKCU or other registry type stuff
  966.  
  967. strings malware.exe | grep -i irc
  968.  
  969. strings malware.exe | grep -i join                    
  970.  
  971. strings malware.exe | grep -i admin
  972.  
  973. strings malware.exe | grep -i list
  974.  
  975.  
  976.                                                         - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  977. sudo apt-get install -y python-pefile
  978.  
  979. vi analyse_malware.py
  980.  
  981. python analyse_malware.py malware.exe
  982.  
  983.  
  984. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  985. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  986.  
  987.  
  988. Malware Repositories:
  989. http://malshare.com/index.php
  990. http://www.malwareblacklist.com/
  991. http://www.virusign.com/
  992. http://virusshare.com/
  993. http://www.tekdefense.com/downloads/malware-samples/
  994.  
  995. ###############################
  996. # Creating a Malware Database #
  997. ###############################
  998.  
  999. Creating a malware database (sqlite)
  1000. ------------------------------------
  1001. wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1002. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1003. unzip malware-password-is-infected.zip
  1004.         infected
  1005. python avsubmit.py --init
  1006. python avsubmit.py -f malware.exe -e
  1007.  
  1008.  
  1009.  
  1010.  
  1011.  
  1012. Creating a malware database (mysql)
  1013. -----------------------------------
  1014. Step 1: Installing MySQL database
  1015. Run the following command in the terminal:
  1016.  
  1017. sudo apt-get install mysql-server
  1018.          
  1019. Step 2: Installing Python MySQLdb module
  1020. Run the following command in the terminal:
  1021.  
  1022. sudo apt-get build-dep python-mysqldb
  1023. sudo apt-get install python-mysqldb
  1024.  
  1025. Step 3: Logging in
  1026. Run the following command in the terminal:
  1027.  
  1028. mysql -u root -p                                        (set a password of 'malware')
  1029.  
  1030. Then create one database by running following command:
  1031.  
  1032. create database malware;
  1033.  
  1034.  
  1035.  
  1036. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1037.  
  1038. vi mal_to_db.py -i                      (fill in database connection information)
  1039.  
  1040. python mal_to_db.py -i
  1041.  
  1042. python mal_to_db.py -i -f malware.exe -u
  1043.  
  1044.  
  1045. mysql -u root -p
  1046.         malware
  1047.  
  1048. mysql> use malware;
  1049.  
  1050. select id,md5,sha1,sha256,time FROM files;
  1051.  
  1052. mysql> quit;
  1053.  
  1054.  
  1055.  
  1056.  
  1057.  
  1058. ##############################
  1059. # Lesson 32: Setting up Yara #
  1060. ##############################
  1061.  
  1062.  
  1063. sudo apt-get install clamav clamav-freshclam
  1064.  
  1065. sudo freshclam
  1066.  
  1067. sudo Clamscan
  1068.  
  1069. sudo apt-get install libpcre3 libpcre3-dev
  1070.  
  1071. wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz
  1072.  
  1073. wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz
  1074.  
  1075. tar -zxvf v3.1.0.tar.gz
  1076.  
  1077. cd yara-3.1.0/
  1078.  
  1079. ./bootstrap.sh
  1080.  
  1081. ./configure
  1082.  
  1083. make
  1084.  
  1085. make check
  1086.  
  1087. sudo make install
  1088.  
  1089. cd yara-python/
  1090.  
  1091. python setup.py build
  1092.  
  1093. sudo python setup.py install
  1094.  
  1095. cd ..
  1096.  
  1097. yara -v
  1098.  
  1099. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py
  1100.  
  1101. sigtool -u /var/lib/clamav/main.cvd
  1102.  
  1103. python clamav_to_yara.py -f main.ndb -o clamav.yara
  1104.  
  1105. wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip
  1106.  
  1107. unzip malware-password-is-infected.zip
  1108.         infected
  1109.  
  1110. mkdir malcode/
  1111.  
  1112. mv malware.exe malcode/
  1113.  
  1114. vi testrule.yara
  1115. ----------------
  1116. rule IsPE
  1117. {
  1118. meta:
  1119. description = "Windows executable file"
  1120.  
  1121. condition:
  1122. // MZ signature at offset 0 and ...
  1123. uint16(0) == 0x5A4D and
  1124. // ... PE signature at offset stored in MZ header at 0x3C
  1125. uint32(uint32(0x3C)) == 0x00004550
  1126. }
  1127.  
  1128. rule has_no_DEP
  1129. {
  1130. meta:
  1131. description = "DEP is not enabled"
  1132.  
  1133. condition:
  1134. IsPE and
  1135. uint16(uint32(0x3C)+0x5E) & 0x00100 == 0
  1136. }
  1137.  
  1138. rule has_no_ASLR
  1139. {
  1140. meta:
  1141. description = "ASLR is not enabled"
  1142.  
  1143. condition:
  1144. IsPE and
  1145. uint16(uint32(0x3C)+0x5E) & 0x0040 == 0
  1146. }
  1147. ----------------
  1148.  
  1149.  
  1150. yara testrule.yara malcode/malware.exe
  1151.  
  1152. mkdir rules/
  1153.  
  1154. cd rules/
  1155.  
  1156. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara
  1157.  
  1158. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara
  1159.  
  1160. wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara
  1161.  
  1162. cd ..
  1163.  
  1164. yara rules/ malcode/malware.exe
  1165.  
  1166. wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip
  1167.  
  1168. unzip master.zip
  1169.  
  1170. cd YaraGenerator-master/
  1171.  
  1172. python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe"
  1173.  
  1174. cat Test-Rule-2.yar
  1175.  
  1176. wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  1177.  
  1178. yara Test-Rule-2.yar putty.exe
  1179.  
  1180.  
  1181.  
  1182.  
  1183. ####################
  1184. # Additional Tasks #
  1185. ####################
  1186.  
  1187. - PE Scanner:
  1188. https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py
  1189. http://www.beenuarora.com/code/analyse_malware.py
  1190.  
  1191. - AV submission:
  1192. http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
  1193. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py
  1194.  
  1195. - Malware Database Creation:
  1196. https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1197.  
  1198.  
  1199.  
  1200.  
  1201. cd /home/malware/Desktop/Browser\ Forensics
  1202.  
  1203. ls | grep pcap
  1204.  
  1205. perl chaosreader.pl suspicious-time.pcap
  1206.  
  1207. firefox index.html
  1208.  
  1209. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1210.  
  1211. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1212.  
  1213. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs  
  1214.  
  1215.  
  1216.  
  1217.  
  1218. for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
  1219.  
  1220.  
  1221. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1222.  
  1223.  
  1224. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1225.  
  1226.  
  1227. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1228.  
  1229.  
  1230. tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq
  1231.  
  1232.  
  1233. tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1234.  
  1235. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1236.  
  1237. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1238.  
  1239. tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1240.  
  1241. tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1242.  
  1243.  
  1244. whois rapidshare.com.eyu32.ru
  1245.  
  1246. whois sploitme.com.cn
  1247.  
  1248.  
  1249.  
  1250.  
  1251.  
  1252. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1253.  
  1254. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1255.  
  1256. tshark -r suspicious-time.pcap -qz http_req,tree
  1257.  
  1258. tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1259.  
  1260. tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1261.  
  1262.  
  1263.  
  1264.  
  1265.  
  1266. cd /home/malware/Desktop/Banking\ Troubles/Volatility
  1267.  
  1268. python volatility
  1269. python volatility pslist -f ../hn_forensics.vmem
  1270. python volatility connscan2 -f ../hn_forensics.vmem
  1271. python volatility memdmp -p 888 -f ../hn_forensics.vmem
  1272. python volatility memdmp -p 1752 -f ../hn_forensics.vmem
  1273.                                 ***Takes a few min***
  1274. strings 1752.dmp | grep "^http://" | sort | uniq
  1275. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1276. cd ..
  1277. cd foremost-1.5.7/
  1278. foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
  1279. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
  1280. cat audit.txt
  1281. cd pdf
  1282. ls
  1283. grep -i javascript *.pdf
  1284.  
  1285.  
  1286.  
  1287. cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
  1288. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1289. unzip pdf-parser_V0_6_4.zip
  1290. python pdf-parser.py -s javascript --raw 00600328.pdf
  1291. python pdf-parser.py --object 11 00600328.pdf
  1292. python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
  1293.  
  1294. cat malicious.js
  1295.  
  1296.  
  1297. *****Sorry - no time to cover javascript de-obfuscation today*****
  1298.  
  1299.  
  1300. cd /home/malware/Desktop/Banking\ Troubles/Volatility/
  1301. python volatility files -f ../hn_forensics.vmem > files
  1302. cat files | less
  1303. python volatility malfind -f ../hn_forensics.vmem -d out
  1304. ls out/
  1305. python volatility hivescan -f ../hn_forensics.vmem                                                                    
  1306. python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1307. for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top