SHOW:
|
|
- or go back to the newest paste.
1 | ############################## | |
2 | # Linux For InfoSec Pros # | |
3 | # By Joe McCray # | |
4 | ############################## | |
5 | ||
6 | ||
7 | ########################## | |
8 | # Download the attack VM # | |
9 | ########################## | |
10 | https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip | |
11 | user: strategicsec | |
12 | pass: strategicsec | |
13 | ||
14 | ||
15 | ######################################## | |
16 | # Boot up the StrategicSec Ubuntu host # | |
17 | ######################################## | |
18 | ||
19 | - Log in to your Ubuntu host with the following credentials: | |
20 | user: strategicsec | |
21 | pass: strategicsec | |
22 | ||
23 | ||
24 | ||
25 | - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests. | |
26 | - You can download Putty from here: | |
27 | - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
28 | ||
29 | ||
30 | ||
31 | ######################## | |
32 | # Basic Linux Commands # | |
33 | ######################## | |
34 | ||
35 | pwd | |
36 | ||
37 | whereis pwd | |
38 | ||
39 | which pwd | |
40 | ||
41 | sudo find / -name pwd | |
42 | strategicsec | |
43 | ||
44 | /bin/pwd | |
45 | ||
46 | mkdir test | |
47 | ||
48 | cd test | |
49 | ||
50 | touch one two three | |
51 | ||
52 | ls -l t (without pressing the Enter key, press the Tab key twice. What happens?) | |
53 | ||
54 | h (and again without pressing the Enter key, press the Tab key twice. What happens?) | |
55 | ||
56 | Press the 'Up arrow key' (What happens?) | |
57 | ||
58 | Press 'Ctrl-A' (What happens?) | |
59 | ||
60 | ls | |
61 | ||
62 | clear (What happens?) | |
63 | ||
64 | echo one > one | |
65 | ||
66 | cat one (What happens?) | |
67 | ||
68 | man cat (What happens?) | |
69 | q | |
70 | ||
71 | cat two | |
72 | ||
73 | cat one > two | |
74 | ||
75 | cat two | |
76 | ||
77 | cat one two > three | |
78 | ||
79 | cat three | |
80 | ||
81 | echo four >> three | |
82 | ||
83 | cat three (What happens?) | |
84 | ||
85 | wc -l three | |
86 | ||
87 | man wc | |
88 | q | |
89 | ||
90 | cat three | grep four | |
91 | ||
92 | cat three | grep one | |
93 | ||
94 | man grep | |
95 | q | |
96 | ||
97 | ||
98 | sudo grep eth[01] /etc/* (What happens?) | |
99 | strategicsec | |
100 | ||
101 | cat /etc/iftab | |
102 | ||
103 | ||
104 | man ps | |
105 | q | |
106 | ||
107 | ps | |
108 | ||
109 | ps aux | |
110 | ||
111 | ps aux | less | |
112 | ||
113 | Press the 'Up arrow key' (What happens?) | |
114 | ||
115 | Press the 'Down arrow key' (What happens?) | |
116 | q | |
117 | ||
118 | top | |
119 | ||
120 | ############ | |
121 | # VIM Demo # | |
122 | ############ | |
123 | http://www.thegeekstuff.com/2009/03/8-essential-vim-editor-navigation-fundamentals/ | |
124 | ||
125 | ||
126 | ||
127 | ################### | |
128 | # Common commands # | |
129 | ################### | |
130 | http://www.thegeekstuff.com/2009/03/15-practical-linux-find-command-examples/ | |
131 | ||
132 | http://www.thegeekstuff.com/2009/03/15-practical-unix-grep-command-examples/ | |
133 | http://www.thegeekstuff.com/2010/01/awk-introduction-tutorial-7-awk-print-examples/ | |
134 | http://www.thegeekstuff.com/2009/10/unix-sed-tutorial-advanced-sed-substitution-examples/ | |
135 | ||
136 | ||
137 | http://www.thegeekstuff.com/2010/11/50-linux-commands/ | |
138 | http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/ | |
139 | http://www.thegeekstuff.com/2010/11/modprobe-command-examples/ | |
140 | http://www.thegeekstuff.com/2009/06/useradd-adduser-newuser-how-to-create-linux-users/ | |
141 | http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/ | |
142 | http://www.thegeekstuff.com/2010/08/how-to-create-lvm/ | |
143 | http://www.thegeekstuff.com/2010/10/dmesg-command-examples/ | |
144 | http://www.thegeekstuff.com/2010/03/netstat-command-examples/ | |
145 | http://www.thegeekstuff.com/2009/10/debian-ubuntu-install-upgrade-remove-packages-using-apt-get-apt-cache-apt-file-dpkg/ | |
146 | ||
147 | ################# | |
148 | # IPTables Demo # | |
149 | ################# | |
150 | Reference: | |
151 | http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ | |
152 | ||
153 | Delete Existing Rules | |
154 | --------------------- | |
155 | sudo /sbin/iptables -F | |
156 | strategicsec | |
157 | ||
158 | (or) | |
159 | ||
160 | sudo /sbin/iptables --flush | |
161 | strategicsec | |
162 | ||
163 | ||
164 | ||
165 | Set Default Chain Policies | |
166 | -------------------------- | |
167 | sudo /sbin/iptables -P INPUT DROP | |
168 | sudo /sbin/iptables -P FORWARD DROP | |
169 | sudo /sbin/iptables -P OUTPUT DROP | |
170 | ||
171 | ||
172 | Block a Specific ip-address | |
173 | --------------------------- | |
174 | BLOCK_THIS_IP="x.x.x.x" | |
175 | sudo /sbin/iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP | |
176 | ||
177 | ||
178 | sudo /sbin/iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP | |
179 | sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP | |
180 | ||
181 | ||
182 | Allow ALL Incoming SSH | |
183 | ---------------------- | |
184 | sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
185 | sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
186 | ||
187 | ||
188 | Allow Incoming SSH only from a Sepcific Network | |
189 | ----------------------------------------------- | |
190 | sudo /sbin/iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
191 | sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
192 | ||
193 | ||
194 | Allow Incoming HTTP and HTTPS | |
195 | ----------------------------- | |
196 | sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
197 | sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
198 | ||
199 | ||
200 | sudo /sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
201 | sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
202 | ||
203 | ||
204 | ||
205 | Combine Multiple Rules Together using MultiPorts | |
206 | ------------------------------------------------ | |
207 | sudo /sbin/iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
208 | sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
209 | ||
210 | ||
211 | Allow Outgoing SSH | |
212 | ------------------ | |
213 | sudo /sbin/iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
214 | sudo /sbin/iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
215 | ||
216 | ||
217 | ||
218 | Allow Outgoing SSH only to a Specific Network | |
219 | ||
220 | ||
221 | ||
222 | ||
223 | ||
224 | #################### | |
225 | # MD5 Hashing Demo # | |
226 | #################### | |
227 | mkdir ~/demo | |
228 | cd ~/demo | |
229 | ||
230 | ||
231 | ||
232 | mkdir hashdemo | |
233 | cd hashdemo | |
234 | echo test > test.txt | |
235 | cat test.txt | |
236 | md5sum test.txt | |
237 | echo hello >> test.txt | |
238 | cat test.txt | |
239 | md5sum test.txt | |
240 | cd .. | |
241 | ||
242 | ||
243 | ||
244 | Reference: | |
245 | https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/ | |
246 | ||
247 | ||
248 | ################################# | |
249 | # Symmetric Key Encryption Demo # | |
250 | ################################# | |
251 | md5sum test.txt | |
252 | mkdir gpgdemo | |
253 | cd gpgdemo | |
254 | echo test > test.txt | |
255 | cat test.txt | |
256 | gpg -c test.txt | |
257 | password | |
258 | password | |
259 | ls | grep test | |
260 | cat test.txt | |
261 | cat test.txt.gpg | |
262 | rm -rf test.txt | |
263 | ls | grep test | |
264 | gpg -o output.txt test.txt.gpg | |
265 | ||
266 | ||
267 | ######################################################################################################################### | |
268 | # Asymmetric Key Encryption Demo # | |
269 | # # | |
270 | # Configure random number generator # | |
271 | # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny # | |
272 | ######################################################################################################################### | |
273 | ||
274 | sudo apt-get install rng-tools | |
275 | strategicsec | |
276 | ||
277 | /etc/init.d/rng-tools start | |
278 | ||
279 | sudo rngd -r /dev/urandom | |
280 | strategicsec | |
281 | ||
282 | ||
283 | echo hello > file1.txt | |
284 | echo goodbye > file2.txt | |
285 | echo green > file3.txt | |
286 | echo blue > file4.txt | |
287 | ||
288 | tar czf files.tar.gz *.txt | |
289 | ||
290 | gpg --gen-key | |
291 | 1 | |
292 | 1024 | |
293 | 0 | |
294 | y | |
295 | John Doe | |
296 | john@doe.com | |
297 | --blank comment-- | |
298 | O | |
299 | password | |
300 | password | |
301 | ||
302 | ||
303 | ||
304 | gpg --armor --output file-enc-pubkey.txt --export 'John Doe' | |
305 | ||
306 | cat file-enc-pubkey.txt | |
307 | ||
308 | gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe' | |
309 | ||
310 | cat file-enc-privkey.asc | |
311 | ||
312 | gpg --encrypt --recipient 'John Doe' files.tar.gz | |
313 | ||
314 | rm -rf files.tar.gz *.txt | |
315 | ||
316 | tar -zxvf files.tar.gz.gpg | |
317 | ||
318 | gpg --output output.tar.gz --decrypt files.tar.gz.gpg | |
319 | password | |
320 | ||
321 | tar -zxvf output.tar.gz | |
322 | ||
323 | ||
324 | Reference: | |
325 | http://linoxide.com/security/gpg-comand-linux-how-to-encrypt-and-decrypt-file/ | |
326 | ||
327 | ||
328 | ||
329 | ############################ | |
330 | # Encryption using OpenSSL # | |
331 | ############################ | |
332 | openssl genrsa -out private_key.pem 1024 | |
333 | openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout | |
334 | ||
335 | ||
336 | echo hello > encrypt.txt | |
337 | openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat | |
338 | ||
339 | cat encrypt.dat | |
340 | ||
341 | rm -rf encrypt.txt | |
342 | ||
343 | openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt | |
344 | ||
345 | cat decrypt.txt | |
346 | ||
347 | ||
348 | ################## | |
349 | # SELinux Basics # | |
350 | ################## | |
351 | ||
352 | sudo apt-get install selinux selinux-utils | |
353 | strategicsec | |
354 | ||
355 | ||
356 | - Change the SELinux mode in /etc/selinux/config (optional): | |
357 | ||
358 | - Enforcing | |
359 | sudo sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config | |
360 | strategicsec | |
361 | ||
362 | - Permissive | |
363 | sudo sed -i 's/SELINUX=.*/SELINUX=permissive/' /etc/selinux/config | |
364 | strategicsec | |
365 | ||
366 | - Reboot | |
367 | ||
368 | Reference: | |
369 | http://www.techrepublic.com/blog/linux-and-open-source/practical-selinux-for-the-beginner-contexts-and-labels/ | |
370 | ||
371 | ||
372 | ############ | |
373 | # AppArmor # | |
374 | ############ | |
375 | Reference: | |
376 | http://www.thegeekstuff.com/2014/03/apparmor-ubuntu/ | |
377 | ||
378 | ||
379 | ||
380 | ||
381 | ######################## | |
382 | # Bash Shell Scripting # | |
383 | ######################## | |
384 | http://www.thegeekstuff.com/2011/07/bash-for-loop-examples/ | |
385 | http://www.thegeekstuff.com/2010/07/bash-string-manipulation/ | |
386 | http://www.thegeekstuff.com/2012/05/encrypt-bash-shell-script/ | |
387 | ||
388 | ||
389 | ||
390 | ||
391 | ############################ | |
392 | # Ubuntu Server Build Task # | |
393 | ############################ | |
394 | https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/ | |
395 | ||
396 | ############################ | |
397 | # CentOS Server Build Task # | |
398 | ############################ | |
399 | https://www.howtoforge.com/tutorial/perfect-server-centos-7-1-apache-mysql-php-pureftpd-postfix-dovecot-and-ispconfig3/ | |
400 | ||
401 | ||
402 | ||
403 | ||
404 | ######################################################################### | |
405 | # What kind of Linux am I on and how can I find out? # | |
406 | # Great reference: # | |
407 | # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ # | |
408 | ######################################################################### | |
409 | What’s the distribution type? What version? | |
410 | ------------------------------------------- | |
411 | cat /etc/issue | |
412 | cat /etc/*-release | |
413 | cat /etc/lsb-release # Debian based | |
414 | cat /etc/redhat-release # Redhat based | |
415 | ||
416 | ||
417 | ||
418 | What’s the kernel version? Is it 64-bit? | |
419 | ------------------------------------------- | |
420 | cat /proc/version | |
421 | uname -a | |
422 | uname -mrs | |
423 | rpm -q kernel | |
424 | dmesg | grep Linux | |
425 | ls /boot | grep vmlinuz- | |
426 | ||
427 | ||
428 | ||
429 | What can be learnt from the environmental variables? | |
430 | ---------------------------------------------------- | |
431 | cat /etc/profile | |
432 | cat /etc/bashrc | |
433 | cat ~/.bash_profile | |
434 | cat ~/.bashrc | |
435 | cat ~/.bash_logout | |
436 | env | |
437 | set | |
438 | ||
439 | ||
440 | What services are running? Which service has which user privilege? | |
441 | ------------------------------------------------------------------ | |
442 | ps aux | |
443 | ps -ef | |
444 | top | |
445 | cat /etc/services | |
446 | ||
447 | ||
448 | Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check! | |
449 | --------------------------------------------------------------------------------------------------------------- | |
450 | ps aux | grep root | |
451 | ps -ef | grep root | |
452 | ||
453 | ||
454 | ||
455 | What applications are installed? What version are they? Are they currently running? | |
456 | ------------------------------------------------------------------------------------ | |
457 | ls -alh /usr/bin/ | |
458 | ls -alh /sbin/ | |
459 | dpkg -l | |
460 | dpkg --get-selections | grep -v deinstall | |
461 | rpm -qa | |
462 | ls -alh /var/cache/apt/archives | |
463 | ls -alh /var/cache/yum/ | |
464 | ||
465 | ||
466 | Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? | |
467 | ------------------------------------------------------------------------------------ | |
468 | cat /etc/syslog.conf | |
469 | cat /etc/chttp.conf | |
470 | cat /etc/lighttpd.conf | |
471 | cat /etc/cups/cupsd.conf | |
472 | cat /etc/inetd.conf | |
473 | cat /etc/apache2/apache2.conf | |
474 | cat /etc/my.conf | |
475 | cat /etc/httpd/conf/httpd.conf | |
476 | cat /opt/lampp/etc/httpd.conf | |
477 | ls -aRl /etc/ | awk '$1 ~ /^.*r.*/' | |
478 | ||
479 | ||
480 | ||
481 | What jobs are scheduled? | |
482 | ------------------------ | |
483 | crontab -l | |
484 | ls -alh /var/spool/cron | |
485 | ls -al /etc/ | grep cron | |
486 | ls -al /etc/cron* | |
487 | cat /etc/cron* | |
488 | cat /etc/at.allow | |
489 | cat /etc/at.deny | |
490 | cat /etc/cron.allow | |
491 | cat /etc/cron.deny | |
492 | cat /etc/crontab | |
493 | cat /etc/anacrontab | |
494 | cat /var/spool/cron/crontabs/root | |
495 | ||
496 | ||
497 | Any plain text usernames and/or passwords? | |
498 | ------------------------------------------ | |
499 | grep -i user [filename] | |
500 | grep -i pass [filename] | |
501 | grep -C 5 "password" [filename] | |
502 | find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords | |
503 | ||
504 | ||
505 | What NIC(s) does the system have? Is it connected to another network? | |
506 | --------------------------------------------------------------------- | |
507 | /sbin/ifconfig -a | |
508 | cat /etc/network/interfaces | |
509 | cat /etc/sysconfig/network | |
510 | ||
511 | ||
512 | What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? | |
513 | ------------------------------------------------------------------------------------------------------------------------ | |
514 | cat /etc/resolv.conf | |
515 | cat /etc/sysconfig/network | |
516 | cat /etc/networks | |
517 | sudo iptables -L | |
518 | hostname | |
519 | dnsdomainname | |
520 | ||
521 | What other users & hosts are communicating with the system? | |
522 | ----------------------------------------------------------- | |
523 | lsof -i | |
524 | lsof -i :80 | |
525 | grep 80 /etc/services | |
526 | netstat -antup | |
527 | netstat -antpx | |
528 | netstat -tulpn | |
529 | chkconfig --list | |
530 | chkconfig --list | grep 3:on | |
531 | last | |
532 | w | |
533 | ||
534 | ||
535 | ||
536 | Whats cached? IP and/or MAC addresses | |
537 | ------------------------------------- | |
538 | arp -e | |
539 | route | |
540 | /sbin/route -nee | |
541 | ||
542 | ||
543 | Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? | |
544 | ------------------------------------------------------------------------------------------ | |
545 | id | |
546 | who | |
547 | w | |
548 | last | |
549 | cat /etc/passwd | cut -d: # List of users | |
550 | grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users | |
551 | awk -F: '($3 == "0") {print}' /etc/passwd # List of super users | |
552 | sudo cat /etc/sudoers | |
553 | sudo -l | |
554 | ||
555 | ||
556 | ||
557 | What sensitive files can be found? | |
558 | ---------------------------------- | |
559 | cat /etc/passwd | |
560 | cat /etc/group | |
561 | sudo cat /etc/shadow | |
562 | ls -alh /var/mail/ | |
563 | ||
564 | ||
565 | ||
566 | Anything “interesting” in the home directorie(s)? If it’s possible to access | |
567 | ---------------------------------------------------------------------------- | |
568 | ls -ahlR /root/ | |
569 | ls -ahlR /home/ | |
570 | ||
571 | ||
572 | Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords | |
573 | --------------------------------------------------------------------------------------------------------------------------- | |
574 | cat /var/apache2/config.inc | |
575 | cat /var/lib/mysql/mysql/user.MYD | |
576 | sudo cat /root/anaconda-ks.cfg | |
577 | ||
578 | ||
579 | What has the user being doing? Is there any password in plain text? What have they been edting? | |
580 | ----------------------------------------------------------------------------------------------- | |
581 | cat ~/.bash_history | |
582 | cat ~/.nano_history | |
583 | cat ~/.atftp_history | |
584 | cat ~/.mysql_history | |
585 | cat ~/.php_history | |
586 | ||
587 | ||
588 | ||
589 | What user information can be found? | |
590 | ----------------------------------- | |
591 | cat ~/.bashrc | |
592 | cat ~/.profile | |
593 | cat /var/mail/root | |
594 | cat /var/spool/mail/root | |
595 | ||
596 | ||
597 | Can private-key information be found? | |
598 | ------------------------------------- | |
599 | cat ~/.ssh/authorized_keys | |
600 | cat ~/.ssh/identity.pub | |
601 | cat ~/.ssh/identity | |
602 | cat ~/.ssh/id_rsa.pub | |
603 | cat ~/.ssh/id_rsa | |
604 | cat ~/.ssh/id_dsa.pub | |
605 | cat ~/.ssh/id_dsa | |
606 | cat /etc/ssh/ssh_config | |
607 | cat /etc/ssh/sshd_config | |
608 | cat /etc/ssh/ssh_host_dsa_key.pub | |
609 | cat /etc/ssh/ssh_host_dsa_key | |
610 | cat /etc/ssh/ssh_host_rsa_key.pub | |
611 | cat /etc/ssh/ssh_host_rsa_key | |
612 | cat /etc/ssh/ssh_host_key.pub | |
613 | cat /etc/ssh/ssh_host_key | |
614 | ||
615 | ||
616 | Any settings/files (hidden) on website? Any settings file with database information? | |
617 | ------------------------------------------------------------------------------------ | |
618 | ls -alhR /var/www/ | |
619 | ls -alhR /srv/www/htdocs/ | |
620 | ls -alhR /usr/local/www/apache22/data/ | |
621 | ls -alhR /opt/lampp/htdocs/ | |
622 | ls -alhR /var/www/html/ | |
623 | ||
624 | ||
625 | Is there anything in the log file(s) (Could help with “Local File Includes”!) | |
626 | ----------------------------------------------------------------------------- | |
627 | cat /etc/httpd/logs/access_log | |
628 | cat /etc/httpd/logs/access.log | |
629 | cat /etc/httpd/logs/error_log | |
630 | cat /etc/httpd/logs/error.log | |
631 | cat /var/log/apache2/access_log | |
632 | cat /var/log/apache2/access.log | |
633 | cat /var/log/apache2/error_log | |
634 | cat /var/log/apache2/error.log | |
635 | cat /var/log/apache/access_log | |
636 | cat /var/log/apache/access.log | |
637 | cat /var/log/auth.log | |
638 | cat /var/log/chttp.log | |
639 | cat /var/log/cups/error_log | |
640 | cat /var/log/dpkg.log | |
641 | cat /var/log/faillog | |
642 | cat /var/log/httpd/access_log | |
643 | cat /var/log/httpd/access.log | |
644 | cat /var/log/httpd/error_log | |
645 | cat /var/log/httpd/error.log | |
646 | cat /var/log/lastlog | |
647 | cat /var/log/lighttpd/access.log | |
648 | cat /var/log/lighttpd/error.log | |
649 | cat /var/log/lighttpd/lighttpd.access.log | |
650 | cat /var/log/lighttpd/lighttpd.error.log | |
651 | cat /var/log/messages | |
652 | cat /var/log/secure | |
653 | cat /var/log/syslog | |
654 | cat /var/log/wtmp | |
655 | cat /var/log/xferlog | |
656 | cat /var/log/yum.log | |
657 | cat /var/run/utmp | |
658 | cat /var/webmin/miniserv.log | |
659 | cat /var/www/logs/access_log | |
660 | cat /var/www/logs/access.log | |
661 | ls -alh /var/lib/dhcp3/ | |
662 | ls -alh /var/log/postgresql/ | |
663 | ls -alh /var/log/proftpd/ | |
664 | ls -alh /var/log/samba/ | |
665 | ||
666 | Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp | |
667 | ||
668 | ||
669 | ########################### | |
670 | # Target IP Determination # | |
671 | ########################### | |
672 | - This portion starts the actual workshop content | |
673 | - Zone Transfer fails on most domains, but here is an example of one that works: | |
674 | dig axfr heartinternet.co.uk @ns.heartinternet.co.uk | |
675 | ||
676 | ||
677 | - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce | |
678 | perl blindcrawl.pl -d motorola.com | |
679 | Look up the IP addresses at: | |
680 | http://www.networksolutions.com/whois/index.jsp | |
681 | ||
682 | ||
683 | - Note: If you are on a different machine and need to download blindcrawl can you download it this way: | |
684 | wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl | |
685 | chmod +x blindcrawl.pl | |
686 | ||
687 | ||
688 | ||
689 | cd ~/toolz/fierce2 | |
690 | sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion | |
691 | strategicsec | |
692 | ||
693 | ||
694 | - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM: | |
695 | svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/ | |
696 | ||
697 | ||
698 | cd ~/toolz/fierce2 | |
699 | wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz | |
700 | tar -zxvf Template-Toolkit-2.14.tar.gz | |
701 | cd Template-Toolkit-2.14/ | |
702 | perl Makefile.PL | |
703 | y | |
704 | y | |
705 | n | |
706 | y | |
707 | sudo make install | |
708 | strategicsec | |
709 | ||
710 | cd .. | |
711 | ||
712 | sudo bash install.sh | |
713 | strategicsec | |
714 | ||
715 | ./fierce | |
716 | ||
717 | ./fierce -dns motorola.com | |
718 | ||
719 | cd ~/toolz/ | |
720 | ||
721 | - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM: | |
722 | wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c | |
723 | gcc -o ipcrawl ipcrawl.c | |
724 | chmod +x ipcrawl | |
725 | ||
726 | ||
727 | ||
728 | - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is | |
729 | cd ~/toolz/ | |
730 | ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range) | |
731 | ||
732 | ||
733 | sudo nmap -sL 148.87.1.0-255 | |
734 | strategicsec | |
735 | ||
736 | sudo nmap -sL 148.87.1.0-255 | grep oracle | |
737 | strategicsec | |
738 | ||
739 | - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html | |
740 | sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254 | |
741 | strategicsec | |
742 | ||
743 | ||
744 | ||
745 | ||
746 | ########################### | |
747 | # Load Balancer Detection # | |
748 | ########################### | |
749 | ||
750 | - Here are some options to use for identifying load balancers: | |
751 | - http://toolbar.netcraft.com/site_report/ | |
752 | - Firefox LiveHTTP Headers | |
753 | ||
754 | ||
755 | - Here are some command-line options to use for identifying load balancers: | |
756 | ||
757 | dig google.com | |
758 | ||
759 | cd ~/toolz | |
760 | ./lbd-0.1.sh google.com | |
761 | ||
762 | ||
763 | halberd microsoft.com | |
764 | halberd motorola.com | |
765 | halberd oracle.com | |
766 | ||
767 | ||
768 | ||
769 | ||
770 | ||
771 | ###################################### | |
772 | # Web Application Firewall Detection # | |
773 | ###################################### | |
774 | ||
775 | cd ~/toolz/wafw00f | |
776 | python wafw00f.py http://www.oracle.com | |
777 | python wafw00f.py http://www.strategicsec.com | |
778 | ||
779 | ||
780 | cd ~/toolz/ | |
781 | sudo nmap -p 80 --script http-waf-detect.nse oracle.com | |
782 | strategicsec | |
783 | ||
784 | sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov | |
785 | strategicsec | |
786 | ||
787 | ||
788 | ######################### | |
789 | # Playing with Nmap NSE # | |
790 | ######################### | |
791 | ||
792 | nmap -Pn -p80 --script ip-geolocation-* strategicsec.com | |
793 | ||
794 | nmap -p80 --script dns-brute strategicsec.com | |
795 | ||
796 | nmap --script http-robtex-reverse-ip secore.info | |
797 | ||
798 | nmap -Pn -p80 --script=http-headers strategicsec.com | |
799 | ||
800 | ||
801 | ls /usr/share/nmap/scripts | grep http | |
802 | nmap -Pn -p80 --script=http-* strategicsec.com | |
803 | ||
804 | ############ | |
805 | # Nmap NSE # | |
806 | ############ | |
807 | ||
808 | - Reference for this tutorial is: | |
809 | https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/ | |
810 | ||
811 | ---------------------------------------------------------------------- | |
812 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
813 | strategicsec | |
814 | ||
815 | ||
816 | ||
817 | -- The Head Section -- | |
818 | -- The Rule Section -- | |
819 | portrule = function(host, port) | |
820 | return port.protocol == "tcp" | |
821 | and port.number == 80 | |
822 | and port.state == "open" | |
823 | end | |
824 | ||
825 | -- The Action Section -- | |
826 | action = function(host, port) | |
827 | return "I love Linux!" | |
828 | end | |
829 | ---------------------------------------------------------------------- | |
830 | ||
831 | - Ok, now that we've made that change let's run the script | |
832 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443 | |
833 | ||
834 | ||
835 | ||
836 | ||
837 | ||
838 | ||
839 | ---------------------------------------------------------------------- | |
840 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
841 | ||
842 | -- The Head Section -- | |
843 | local shortport = require "shortport" | |
844 | ||
845 | -- The Rule Section -- | |
846 | portrule = shortport.http | |
847 | ||
848 | ||
849 | -- The Action Section -- | |
850 | action = function(host, port) | |
851 | return "I still love Linux!" | |
852 | end | |
853 | ---------------------------------------------------------------------- | |
854 | ||
855 | - Ok, now that we've made that change let's run the script | |
856 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443 | |
857 | ||
858 | ||
859 | ||
860 | ||
861 | ||
862 | ||
863 | ||
864 | OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working. | |
865 | ||
866 | ---------------------------------------------------------------------- | |
867 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
868 | ||
869 | -- The Head Section -- | |
870 | local shortport = require "shortport" | |
871 | local http = require "http" | |
872 | ||
873 | -- The Rule Section -- | |
874 | portrule = shortport.http | |
875 | ||
876 | -- The Action Section -- | |
877 | action = function(host, port) | |
878 | ||
879 | local uri = "/installing-metasploit-in-ubunt/" | |
880 | local response = http.get(host, port, uri) | |
881 | return response.status | |
882 | ||
883 | end | |
884 | ---------------------------------------------------------------------- | |
885 | ||
886 | - Ok, now that we've made that change let's run the script | |
887 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
888 | ||
889 | ||
890 | ||
891 | ||
892 | ---------------------------------------------------------------------- | |
893 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
894 | ||
895 | -- The Head Section -- | |
896 | local shortport = require "shortport" | |
897 | local http = require "http" | |
898 | ||
899 | -- The Rule Section -- | |
900 | portrule = shortport.http | |
901 | ||
902 | -- The Action Section -- | |
903 | action = function(host, port) | |
904 | ||
905 | local uri = "/installing-metasploit-in-ubunt/" | |
906 | local response = http.get(host, port, uri) | |
907 | ||
908 | if ( response.status == 200 ) then | |
909 | return response.body | |
910 | end | |
911 | ||
912 | end | |
913 | ---------------------------------------------------------------------- | |
914 | ||
915 | - Ok, now that we've made that change let's run the script | |
916 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
917 | ||
918 | ||
919 | ||
920 | ||
921 | ||
922 | ||
923 | ||
924 | ||
925 | ||
926 | ---------------------------------------------------------------------- | |
927 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
928 | ||
929 | -- The Head Section -- | |
930 | local shortport = require "shortport" | |
931 | local http = require "http" | |
932 | local string = require "string" | |
933 | ||
934 | -- The Rule Section -- | |
935 | portrule = shortport.http | |
936 | ||
937 | -- The Action Section -- | |
938 | action = function(host, port) | |
939 | ||
940 | local uri = "/installing-metasploit-in-ubunt/" | |
941 | local response = http.get(host, port, uri) | |
942 | ||
943 | if ( response.status == 200 ) then | |
944 | local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian") | |
945 | return title | |
946 | end | |
947 | ||
948 | end | |
949 | ---------------------------------------------------------------------- | |
950 | ||
951 | - Ok, now that we've made that change let's run the script | |
952 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
953 | ||
954 | ||
955 | ||
956 | ||
957 | ||
958 | ||
959 | ||
960 | ---------------------------------------------------------------------- | |
961 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
962 | ||
963 | -- The Head Section -- | |
964 | local shortport = require "shortport" | |
965 | local http = require "http" | |
966 | local string = require "string" | |
967 | ||
968 | -- The Rule Section -- | |
969 | portrule = shortport.http | |
970 | ||
971 | -- The Action Section -- | |
972 | action = function(host, port) | |
973 | ||
974 | local uri = "/installing-metasploit-in-ubunt/" | |
975 | local response = http.get(host, port, uri) | |
976 | ||
977 | if ( response.status == 200 ) then | |
978 | local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian") | |
979 | ||
980 | if (title) then | |
981 | return "Vulnerable" | |
982 | else | |
983 | return "Not Vulnerable" | |
984 | end | |
985 | end | |
986 | end | |
987 | ||
988 | ---------------------------------------------------------------------- | |
989 | ||
990 | - Ok, now that we've made that change let's run the script | |
991 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
992 | ||
993 | ||
994 | ||
995 | #################### | |
996 | # Installing Scapy # | |
997 | #################### | |
998 | ||
999 | sudo apt-get update | |
1000 | sudo apt-get install python-scapy python-pyx python-gnuplot | |
1001 | ||
1002 | ||
1003 | - Reference Page For All Of The Commands We Will Be Running: | |
1004 | http://samsclass.info/124/proj11/proj17-scapy.html | |
1005 | ||
1006 | ||
1007 | ||
1008 | ||
1009 | ||
1010 | - To run Scapy interactively | |
1011 | ||
1012 | sudo scapy | |
1013 | ||
1014 | ||
1015 | ||
1016 | ##################################### | |
1017 | # Sending ICMPv4 Packets with scapy # | |
1018 | ##################################### | |
1019 | ||
1020 | - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key: | |
1021 | ||
1022 | i = IP() | |
1023 | ||
1024 | ||
1025 | ||
1026 | ||
1027 | - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command: | |
1028 | ||
1029 | i.display() | |
1030 | ||
1031 | ||
1032 | ||
1033 | ||
1034 | - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine: | |
1035 | ||
1036 | i.dst="192.168.54.184" | |
1037 | ||
1038 | i.display() | |
1039 | ||
1040 | ||
1041 | ||
1042 | ||
1043 | - Notice that scapy automatically fills in your machine's source IP address. | |
1044 | ||
1045 | - Use these commands to create an object named ic of type ICMP and display its properties: | |
1046 | ||
1047 | ||
1048 | ic = ICMP() | |
1049 | ||
1050 | ic.display() | |
1051 | ||
1052 | ||
1053 | ||
1054 | ||
1055 | ||
1056 | - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L: | |
1057 | ||
1058 | sr1(i/ic) | |
1059 | ||
1060 | ||
1061 | ||
1062 | ||
1063 | ||
1064 | - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. | |
1065 | ||
1066 | ||
1067 | - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding. | |
1068 | ||
1069 | - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name): | |
1070 | ||
1071 | ||
1072 | sr1(i/ic/"YOUR NAME") | |
1073 | ||
1074 | ||
1075 | - You should see a reply with a Raw section containing your name. | |
1076 | ||
1077 | ||
1078 | ||
1079 | ################################### | |
1080 | # Sending a UDP Packet with Scapy # | |
1081 | ################################### | |
1082 | ||
1083 | ||
1084 | - Preparing the Target | |
1085 | $ ncat -ulvp 4444 | |
1086 | ||
1087 | ||
1088 | ||
1089 | ||
1090 | --open another terminal-- | |
1091 | In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key: | |
1092 | ||
1093 | u = UDP() | |
1094 | ||
1095 | u.display() | |
1096 | ||
1097 | ||
1098 | ||
1099 | - This creates an object named u of type UDP, and displays its properties. | |
1100 | ||
1101 | - Execute these commands to change the destination port to 4444 and display the properties again: | |
1102 | ||
1103 | i.dst="192.168.54.184" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer) | |
1104 | ||
1105 | u.dport = 4444 | |
1106 | ||
1107 | u.display() | |
1108 | ||
1109 | ||
1110 | ||
1111 | - Execute this command to send the packet to the Windows machine: | |
1112 | ||
1113 | send(i/u/"YOUR NAME SENT VIA UDP\n") | |
1114 | ||
1115 | ||
1116 | ||
1117 | - On the Windows target, you should see the message appear | |
1118 | ||
1119 | ||
1120 | p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com"))) | |
1121 | ||
1122 | ||
1123 | p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443])) | |
1124 | ||
1125 | ||
1126 | p=sr(IP(dst="192.168.230.2")/TCP(dport=[80])) | |
1127 | ||
1128 | ||
1129 | traceroute (["strategicsec.com"], maxttl=20) | |
1130 | This is actually an ICMP & TCP traceroute, default destination is port 80 | |
1131 | ||
1132 | ||
1133 | traceroute (["strategicsec.com"], dport=443, maxttl=20) | |
1134 | ||
1135 | ||
1136 | ||
1137 | ############################ | |
1138 | # Ping Sweeping with Scapy # | |
1139 | ############################ | |
1140 | ||
1141 | ---------------------------------------------------------------------- | |
1142 | vi scapy-pingsweep.py | |
1143 | ||
1144 | ||
1145 | #!/usr/bin/python | |
1146 | from scapy.all import * | |
1147 | ||
1148 | TIMEOUT = 2 | |
1149 | conf.verb = 0 | |
1150 | for ip in range(0, 256): | |
1151 | packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP() | |
1152 | reply = sr1(packet, timeout=TIMEOUT) | |
1153 | if not (reply is None): | |
1154 | print reply.dst, "is online" | |
1155 | else: | |
1156 | print "Timeout waiting for %s" % packet[IP].dst | |
1157 | ---------------------------------------------------------------------- | |
1158 | ||
1159 | ||
1160 | ############################################### | |
1161 | # Checking out some scapy based port scanners # | |
1162 | ############################################### | |
1163 | ||
1164 | wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py | |
1165 | ||
1166 | cat rdp_scan.py | |
1167 | ||
1168 | sudo python rdp_scan.py 192.168.1.250 | |
1169 | ||
1170 | ||
1171 | ||
1172 | Log in to your Ubuntu system with the username 'malware' and the password 'malware'. | |
1173 | ||
1174 | After logging please open a terminal window and type the following commands: | |
1175 | ||
1176 | cd Desktop/ | |
1177 | ||
1178 | ||
1179 | This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
1180 | ||
1181 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
1182 | wget http://www.beenuarora.com/code/analyse_malware.py | |
1183 | ||
1184 | unzip malware-password-is-infected.zip | |
1185 | infected | |
1186 | ||
1187 | file malware.exe | |
1188 | ||
1189 | mv malware.exe malware.pdf | |
1190 | ||
1191 | file malware.pdf | |
1192 | ||
1193 | mv malware.pdf malware.exe | |
1194 | ||
1195 | hexdump -n 2 -C malware.exe | |
1196 | ||
1197 | ***What is '4d 5a' or 'MZ'*** | |
1198 | Reference: http://www.garykessler.net/library/file_sigs.html | |
1199 | ||
1200 | ||
1201 | objdump -x malware.exe | |
1202 | ||
1203 | strings malware.exe | |
1204 | ||
1205 | strings --all malware.exe | head -n 6 | |
1206 | ||
1207 | strings malware.exe | grep -i dll | |
1208 | ||
1209 | strings malware.exe | grep -i library | |
1210 | ||
1211 | strings malware.exe | grep -i reg | |
1212 | ||
1213 | strings malware.exe | grep -i hkey | |
1214 | ||
1215 | strings malware.exe | grep -i hku | |
1216 | ||
1217 | - We didn't see anything like HKLM, HKCU or other registry type stuff | |
1218 | ||
1219 | strings malware.exe | grep -i irc | |
1220 | ||
1221 | strings malware.exe | grep -i join | |
1222 | ||
1223 | strings malware.exe | grep -i admin | |
1224 | ||
1225 | strings malware.exe | grep -i list | |
1226 | ||
1227 | ||
1228 | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
1229 | sudo apt-get install -y python-pefile | |
1230 | ||
1231 | vi analyse_malware.py | |
1232 | ||
1233 | python analyse_malware.py malware.exe | |
1234 | ||
1235 | ||
1236 | Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with: | |
1237 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
1238 | ||
1239 | ||
1240 | Malware Repositories: | |
1241 | http://malshare.com/index.php | |
1242 | http://www.malwareblacklist.com/ | |
1243 | http://www.virusign.com/ | |
1244 | http://virusshare.com/ | |
1245 | http://www.tekdefense.com/downloads/malware-samples/ | |
1246 | ||
1247 | ############################### | |
1248 | # Creating a Malware Database # | |
1249 | ############################### | |
1250 | ||
1251 | Creating a malware database (sqlite) | |
1252 | ------------------------------------ | |
1253 | wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
1254 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
1255 | unzip malware-password-is-infected.zip | |
1256 | infected | |
1257 | python avsubmit.py --init | |
1258 | python avsubmit.py -f malware.exe -e | |
1259 | ||
1260 | ||
1261 | ||
1262 | ||
1263 | ||
1264 | Creating a malware database (mysql) | |
1265 | ----------------------------------- | |
1266 | Step 1: Installing MySQL database | |
1267 | Run the following command in the terminal: | |
1268 | ||
1269 | sudo apt-get install mysql-server | |
1270 | ||
1271 | Step 2: Installing Python MySQLdb module | |
1272 | Run the following command in the terminal: | |
1273 | ||
1274 | sudo apt-get build-dep python-mysqldb | |
1275 | sudo apt-get install python-mysqldb | |
1276 | ||
1277 | Step 3: Logging in | |
1278 | Run the following command in the terminal: | |
1279 | ||
1280 | mysql -u root -p (set a password of 'malware') | |
1281 | ||
1282 | Then create one database by running following command: | |
1283 | ||
1284 | create database malware; | |
1285 | ||
1286 | ||
1287 | ||
1288 | wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
1289 | ||
1290 | vi mal_to_db.py -i (fill in database connection information) | |
1291 | ||
1292 | python mal_to_db.py -i | |
1293 | ||
1294 | python mal_to_db.py -i -f malware.exe -u | |
1295 | ||
1296 | ||
1297 | mysql -u root -p | |
1298 | malware | |
1299 | ||
1300 | mysql> use malware; | |
1301 | ||
1302 | select id,md5,sha1,sha256,time FROM files; | |
1303 | ||
1304 | mysql> quit; | |
1305 | ||
1306 | ||
1307 | ||
1308 | ||
1309 | ||
1310 | ############################## | |
1311 | # Lesson 32: Setting up Yara # | |
1312 | ############################## | |
1313 | ||
1314 | ||
1315 | sudo apt-get install clamav clamav-freshclam | |
1316 | ||
1317 | sudo freshclam | |
1318 | ||
1319 | sudo Clamscan | |
1320 | ||
1321 | sudo apt-get install libpcre3 libpcre3-dev | |
1322 | ||
1323 | wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz | |
1324 | ||
1325 | wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz | |
1326 | ||
1327 | tar -zxvf v3.1.0.tar.gz | |
1328 | ||
1329 | cd yara-3.1.0/ | |
1330 | ||
1331 | ./bootstrap.sh | |
1332 | ||
1333 | ./configure | |
1334 | ||
1335 | make | |
1336 | ||
1337 | make check | |
1338 | ||
1339 | sudo make install | |
1340 | ||
1341 | cd yara-python/ | |
1342 | ||
1343 | python setup.py build | |
1344 | ||
1345 | sudo python setup.py install | |
1346 | ||
1347 | cd .. | |
1348 | ||
1349 | yara -v | |
1350 | ||
1351 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py | |
1352 | ||
1353 | sigtool -u /var/lib/clamav/main.cvd | |
1354 | ||
1355 | python clamav_to_yara.py -f main.ndb -o clamav.yara | |
1356 | ||
1357 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
1358 | ||
1359 | unzip malware-password-is-infected.zip | |
1360 | infected | |
1361 | ||
1362 | mkdir malcode/ | |
1363 | ||
1364 | mv malware.exe malcode/ | |
1365 | ||
1366 | vi testrule.yara | |
1367 | ---------------- | |
1368 | rule IsPE | |
1369 | { | |
1370 | meta: | |
1371 | description = "Windows executable file" | |
1372 | ||
1373 | condition: | |
1374 | // MZ signature at offset 0 and ... | |
1375 | uint16(0) == 0x5A4D and | |
1376 | // ... PE signature at offset stored in MZ header at 0x3C | |
1377 | uint32(uint32(0x3C)) == 0x00004550 | |
1378 | } | |
1379 | ||
1380 | rule has_no_DEP | |
1381 | { | |
1382 | meta: | |
1383 | description = "DEP is not enabled" | |
1384 | ||
1385 | condition: | |
1386 | IsPE and | |
1387 | uint16(uint32(0x3C)+0x5E) & 0x00100 == 0 | |
1388 | } | |
1389 | ||
1390 | rule has_no_ASLR | |
1391 | { | |
1392 | meta: | |
1393 | description = "ASLR is not enabled" | |
1394 | ||
1395 | condition: | |
1396 | IsPE and | |
1397 | uint16(uint32(0x3C)+0x5E) & 0x0040 == 0 | |
1398 | } | |
1399 | ---------------- | |
1400 | ||
1401 | ||
1402 | yara testrule.yara malcode/malware.exe | |
1403 | ||
1404 | mkdir rules/ | |
1405 | ||
1406 | cd rules/ | |
1407 | ||
1408 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara | |
1409 | ||
1410 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara | |
1411 | ||
1412 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara | |
1413 | ||
1414 | cd .. | |
1415 | ||
1416 | yara rules/ malcode/malware.exe | |
1417 | ||
1418 | wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip | |
1419 | ||
1420 | unzip master.zip | |
1421 | ||
1422 | cd YaraGenerator-master/ | |
1423 | ||
1424 | python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe" | |
1425 | ||
1426 | cat Test-Rule-2.yar | |
1427 | ||
1428 | wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
1429 | ||
1430 | yara Test-Rule-2.yar putty.exe | |
1431 | ||
1432 | ||
1433 | ||
1434 | ||
1435 | #################### | |
1436 | # Additional Tasks # | |
1437 | #################### | |
1438 | ||
1439 | - PE Scanner: | |
1440 | https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py | |
1441 | http://www.beenuarora.com/code/analyse_malware.py | |
1442 | ||
1443 | - AV submission: | |
1444 | http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
1445 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py | |
1446 | ||
1447 | - Malware Database Creation: | |
1448 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
1449 | ||
1450 | ||
1451 | ||
1452 | ||
1453 | cd /home/malware/Desktop/Browser\ Forensics | |
1454 | ||
1455 | ls | grep pcap | |
1456 | ||
1457 | perl chaosreader.pl suspicious-time.pcap | |
1458 | ||
1459 | firefox index.html | |
1460 | ||
1461 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | |
1462 | ||
1463 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr | |
1464 | ||
1465 | sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs | |
1466 | ||
1467 | ||
1468 | ||
1469 | ||
1470 | for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | |
1471 | ||
1472 | ||
1473 | tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
1474 | ||
1475 | ||
1476 | tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
1477 | ||
1478 | ||
1479 | tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' | |
1480 | ||
1481 | ||
1482 | tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq | |
1483 | ||
1484 | ||
1485 | tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq | |
1486 | ||
1487 | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq | |
1488 | ||
1489 | tshark -r suspicious-time.pcap -qz ip_hosts,tree | |
1490 | ||
1491 | tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq | |
1492 | ||
1493 | tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name" | |
1494 | ||
1495 | ||
1496 | whois rapidshare.com.eyu32.ru | |
1497 | ||
1498 | whois sploitme.com.cn | |
1499 | ||
1500 | ||
1501 | ||
1502 | ||
1503 | ||
1504 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | |
1505 | ||
1506 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' | |
1507 | ||
1508 | tshark -r suspicious-time.pcap -qz http_req,tree | |
1509 | ||
1510 | tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst | |
1511 | ||
1512 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g' | |
1513 | ||
1514 | ||
1515 | ||
1516 | ||
1517 | ||
1518 | cd /home/malware/Desktop/Banking\ Troubles/Volatility | |
1519 | ||
1520 | python volatility | |
1521 | python volatility pslist -f ../hn_forensics.vmem | |
1522 | python volatility connscan2 -f ../hn_forensics.vmem | |
1523 | python volatility memdmp -p 888 -f ../hn_forensics.vmem | |
1524 | python volatility memdmp -p 1752 -f ../hn_forensics.vmem | |
1525 | ***Takes a few min*** | |
1526 | strings 1752.dmp | grep "^http://" | sort | uniq | |
1527 | strings 1752.dmp | grep "Ahttps://" | uniq -u | |
1528 | cd .. | |
1529 | cd foremost-1.5.7/ | |
1530 | foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2 | |
1531 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/ | |
1532 | cat audit.txt | |
1533 | cd pdf | |
1534 | ls | |
1535 | grep -i javascript *.pdf | |
1536 | ||
1537 | ||
1538 | ||
1539 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf | |
1540 | wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip | |
1541 | unzip pdf-parser_V0_6_4.zip | |
1542 | python pdf-parser.py -s javascript --raw 00600328.pdf | |
1543 | python pdf-parser.py --object 11 00600328.pdf | |
1544 | python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js | |
1545 | ||
1546 | cat malicious.js | |
1547 | ||
1548 | ||
1549 | *****Sorry - no time to cover javascript de-obfuscation today***** | |
1550 | ||
1551 | ||
1552 | cd /home/malware/Desktop/Banking\ Troubles/Volatility/ | |
1553 | python volatility files -f ../hn_forensics.vmem > files | |
1554 | cat files | less | |
1555 | python volatility malfind -f ../hn_forensics.vmem -d out | |
1556 | ls out/ | |
1557 | python volatility hivescan -f ../hn_forensics.vmem | |
1558 | python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon | |
1559 | for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done |