View difference between Paste ID: <a href="/8NXddejb">8NXddejb</a> and <a href="/je3ZYqWt">je3ZYqWt</a>

                               #############################
1		#############################
2		############################## # Day 1: Linux Fundamentals # ##############################
3		#############################
4
5
6		- Here is a good set of slides for getting started with Linux:
7		http://www.slideshare.net/olafusimichael/linux-training-24086319
8
9
10		- Here is a good tutorial that you should complete before doing the labs below:
11		http://linuxsurvival.com/linux-tutorial-introduction/
12	-	#####################################################
12	+
13	-	# 2020 Digital Forensics & Incident Response #
13	+
14	-	# By Joe McCray #
14	+
15	-	#####################################################
15	+
16		- http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
17
18		Here is the information to put into putty
19
20		Host Name: 149.28.201.171
21		protocol: ssh
22		port: 22
23		username: casp
24		password: casp!casp123!
25
26
27		If you are on a Mac (https://osxdaily.com/2017/04/28/howto-ssh-client-mac/)
28
29		Open a terminal, then type:
30		-------------------------------
31		ssh -l casp 149.28.201.171
32		------------------------------
33
34	-	username: chfi
34	+
35	-	password: chfi!chfi123!
35	+
36		####################
37
38
39
40		- After logging please open a terminal window and type the following commands:
41		---------------------------Type This-----------------------------------
42	-	ssh -l chfi 149.28.201.171
42	+
43
44		cp malware.exe malware.pdf
45
46		file malware.pdf
47
48	-	########################
48	+	cp malware.pdf malware.exe
49	-	# Basic Linux Commands #
49	+
50	-	########################
50	+
51		-----------------------------------------------------------------------
52
53	-	cd ~
53	+
54		*What is '4d 5a' or 'MZ'*
55	-	pwd
55	+
56		http://www.garykessler.net/library/file_sigs.html
57	-	whereis pwd
57	+
58
59	-	which pwd
59	+
60
61	-	sudo find / -name pwd
61	+
62
63	-	/bin/pwd
63	+
64
65	-	cd ~/students/
65	+
66		objdump -x malware.exe
67	-	mkdir yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
67	+
68		strings malware.exe
69	-	cd yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
69	+
70		strings --all malware.exe \| head -n 6
71	-	touch one two three
71	+
72		strings malware.exe \| grep -i dll
73	-	ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
73	+
74		strings malware.exe \| grep -i library
75	-	h (and again without pressing the Enter key, press the Tab key twice. What happens?)
75	+
76		strings malware.exe \| grep -i reg
77	-	Press the 'Up arrow key' (What happens?)
77	+
78		strings malware.exe \| grep -i hkey
79	-	Press 'Ctrl-A' (What happens?)
79	+
80		strings malware.exe \| grep -i hku
81	-	ls
81	+
82		- We didn't see anything like HKLM, HKCU or other registry type stuff
83	-	clear (What happens?)
83	+
84
85	-	echo one > one
85	+
86		strings malware.exe \| grep -i irc
87	-	cat one (What happens?)
87	+
88		strings malware.exe \| grep -i join
89	-	man cat (What happens?)
89	+
90	-	q
90	+
91
92	-	cat two
92	+
93		-----------------------------------------------------------------------
94	-	cat one > two
94	+
95		- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
96	-	cat two
96	+
97		---------------------------Type This-----------------------------------
98	-	cat one two > three
98	+
99
100	-	cat three
100	+
101		-----------------------------------------------------------------------
102	-	echo four >> three
102	+
103
104	-	cat three (What happens?)
104	+
105
106	-	wc -l three
106	+
107		---------------------------Type This-----------------------------------
108	-	man wc
108	+
109	-	q
109	+
110		objdump -x wannacry.exe \| less
111	-	info wc
111	+
112	-	q
112	+
113		strings wannacry.exe
114	-	cat three \| grep four
114	+
115		strings wannacry.exe \| grep -i dll
116	-	cat three \| grep one
116	+
117		strings wannacry.exe \| grep -i library
118	-	man grep
118	+
119	-	q
119	+
120
121		strings wannacry.exe \| grep -i key
122	-	man ps
122	+
123	-	q
123	+
124
125	-	ps
125	+
126
127	-	ps aux
127	+
128
129	-	ps aux \| less
129	+
130
131	-	Press the 'Up arrow key' (What happens?)
131	+
132
133	-	Press the 'Down arrow key' (What happens?)
133	+
134	-	q
134	+
135		strings wannacry.exe \| grep -i admin
136	-	top
136	+
137	-	q
137	+
138		----------------------------------------------------------------------
139
140
141	-	#########
141	+
142	-	# Files #
142	+
143	-	#########
143	+
144
145	-	cd ~
145	+
146
147	-	pwd
147	+
148		Reference
149	-	cd ~/students/yourname/
149	+
150
151	-	pwd
151	+
152
153	-	ls
153	+
154		Strings:
155	-	mkdir LinuxBasics
155	+
156		$s2 = “Wanna Decryptor” wide ascii nocase
157	-	cd LinuxBasics
157	+
158		$s4 = “WANNACRY” wide ascii nocase
159	-	pwd
159	+
160		$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
161	-	ls
161	+
162
163	-	mkdir files
163	+
164
165	-	touch one two three
165	+
166
167	-	cp one files/
167	+
168
169	-	ls files/
169	+
170
171	-	cd files/
171	+
172		---------------------------Type This-----------------------------------
173	-	cp ../two .
173	+
174
175	-	ls
175	+
176
177	-	cp ../three .
177	+
178
179	-	ls
179	+
180
181	-	tar cvf files.tar *
181	+
182		-----------------------------------------------------------------------
183	-	ls
183	+
184
185	-	gzip files.tar
185	+
186
187	-	ls
187	+
188		################################
189	-	rm -rf one two three
189	+
190		################################
191	-	ls
191	+
192		References:
193	-	tar -zxvf files.tar.gz
193	+
194		https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
195	-	rm -rf files.tar.gz
195	+
196		https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
197	-	zip data *
197	+
198
199	-	unzip -l data.zip
199	+
200
201	-	mkdir /tmp/yourname/
201	+
202
203	-	unzip data.zip -d /tmp/yourname/
203	+
204
205
206
207		####################################
208		# Tired of GREP - let's try Python #
209	-	##############################################
209	+
210	-	# Log Analysis with Linux command-line tools #
210	+
211	-	##############################################
211	+
212	-	- The following command line executables are found in the Mac as well as most Linux Distributions.
212	+
213		https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py
214	-	cat – prints the content of a file in the terminal window
214	+
215	-	grep – searches and filters based on patterns
215	+
216	-	awk – can sort each row into fields and display only what is needed
216	+
217	-	sed – performs find and replace functions
217	+
218	-	sort – arranges output in an order
218	+
219	-	uniq – compares adjacent lines and can report, filter or provide a count of duplicates
219	+
220
221		This is really good for showing some good signatures to add to the Python script
222
223		---------------------------Type This-----------------------------------
224		nano am.py
225	-	##############
225	+
226	-	# Cisco Logs #
226	+	python3 am.py wannacry.exe
227	-	##############
227	+	-----------------------------------------------------------------------