SHOW:
|
|
- or go back to the newest paste.
1 | ############################## | |
2 | # Linux For InfoSec Pros # | |
3 | # By Joe McCray # | |
4 | ############################## | |
5 | ||
6 | Here is the download link for the video of the morning session: | |
7 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-9_233534_recording.mp4 | |
8 | ||
9 | Here is the download link for the video of the afternoon session: | |
10 | https://s3.amazonaws.com/StrategicSec-Videos/_2015_4_18_rec-lw-us-4_233632_recording.mp4 | |
11 | ||
12 | ||
13 | ||
14 | ########## | |
15 | # VMWare # | |
16 | ########## | |
17 | - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player. | |
18 | ||
19 | - A 30-day trial of Workstation 11 can be downloaded from here: | |
20 | - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_workstation/11_0 | |
21 | ||
22 | - A 30-day trial of Fusion 7 can be downloaded from here: | |
23 | - https://my.vmware.com/web/vmware/info/slug/desktop_end_user_computing/vmware_fusion/7_0 | |
24 | ||
25 | - The newest version of VMWare Player can be downloaded from here: | |
26 | - https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0 | |
27 | ||
28 | ||
29 | - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class. | |
30 | ||
31 | ||
32 | ########################## | |
33 | # Download the attack VM # | |
34 | ########################## | |
35 | https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip | |
36 | user: strategicsec | |
37 | pass: strategicsec | |
38 | ||
39 | Here is a good set of slides for getting started with Linux: | |
40 | http://www.slideshare.net/olafusimichael/linux-training-24086319 | |
41 | ||
42 | ||
43 | ||
44 | ######################################## | |
45 | # Boot up the StrategicSec Ubuntu host # | |
46 | # You can also boot up the Win7 as well# | |
47 | ######################################## | |
48 | ||
49 | - Log in to your Ubuntu host with the following credentials: | |
50 | user: strategicsec | |
51 | pass: strategicsec | |
52 | ||
53 | ||
54 | ||
55 | - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests. | |
56 | - You can download Putty from here: | |
57 | - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
58 | ||
59 | ||
60 | - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host | |
61 | ||
62 | ||
63 | ||
64 | ######################## | |
65 | # Basic Linux Commands # | |
66 | ######################## | |
67 | ||
68 | pwd | |
69 | ||
70 | whereis pwd | |
71 | ||
72 | which pwd | |
73 | ||
74 | sudo find / -name pwd | |
75 | ||
76 | /bin/pwd | |
77 | ||
78 | mkdir test | |
79 | ||
80 | cd test | |
81 | ||
82 | touch one two three | |
83 | ||
84 | ls -l t (without pressing the Enter key, press the Tab key twice. What happens?) | |
85 | ||
86 | h (and again without pressing the Enter key, press the Tab key twice. What happens?) | |
87 | ||
88 | Press the 'Up arrow key' (What happens?) | |
89 | ||
90 | Press 'Ctrl-A' (What happens?) | |
91 | ||
92 | ls | |
93 | ||
94 | clear (What happens?) | |
95 | ||
96 | echo one > one | |
97 | ||
98 | cat one (What happens?) | |
99 | ||
100 | man cat (What happens?) | |
101 | q | |
102 | ||
103 | cat two | |
104 | ||
105 | cat one > two | |
106 | ||
107 | cat two | |
108 | ||
109 | cat one two > three | |
110 | ||
111 | cat three | |
112 | ||
113 | echo four >> three | |
114 | ||
115 | cat three (What happens?) | |
116 | ||
117 | wc -l three | |
118 | ||
119 | man wc | |
120 | q | |
121 | ||
122 | cat three | grep four | |
123 | ||
124 | cat three | grep one | |
125 | ||
126 | man grep | |
127 | q | |
128 | ||
129 | ||
130 | sudo grep eth[01] /etc/* (What happens?) | |
131 | ||
132 | cat /etc/iftab | |
133 | ||
134 | ||
135 | man ps | |
136 | q | |
137 | ||
138 | ps | |
139 | ||
140 | ps aux | |
141 | ||
142 | ps aux | less | |
143 | ||
144 | Press the 'Up arrow key' (What happens?) | |
145 | ||
146 | Press the 'Down arrow key' (What happens?) | |
147 | q | |
148 | ||
149 | top | |
150 | ||
151 | ||
152 | ######################################################################### | |
153 | # What kind of Linux am I on and how can I find out? # | |
154 | # Great reference: # | |
155 | # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ # | |
156 | ######################################################################### | |
157 | What’s the distribution type? What version? | |
158 | ------------------------------------------- | |
159 | cat /etc/issue | |
160 | cat /etc/*-release | |
161 | cat /etc/lsb-release # Debian based | |
162 | cat /etc/redhat-release # Redhat based | |
163 | ||
164 | ||
165 | ||
166 | What’s the kernel version? Is it 64-bit? | |
167 | ------------------------------------------- | |
168 | cat /proc/version | |
169 | uname -a | |
170 | uname -mrs | |
171 | rpm -q kernel | |
172 | dmesg | grep Linux | |
173 | ls /boot | grep vmlinuz- | |
174 | ||
175 | ||
176 | ||
177 | What can be learnt from the environmental variables? | |
178 | ---------------------------------------------------- | |
179 | cat /etc/profile | |
180 | cat /etc/bashrc | |
181 | cat ~/.bash_profile | |
182 | cat ~/.bashrc | |
183 | cat ~/.bash_logout | |
184 | env | |
185 | set | |
186 | ||
187 | ||
188 | What services are running? Which service has which user privilege? | |
189 | ------------------------------------------------------------------ | |
190 | ps aux | |
191 | ps -ef | |
192 | top | |
193 | cat /etc/services | |
194 | ||
195 | ||
196 | Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check! | |
197 | --------------------------------------------------------------------------------------------------------------- | |
198 | ps aux | grep root | |
199 | ps -ef | grep root | |
200 | ||
201 | ||
202 | ||
203 | What applications are installed? What version are they? Are they currently running? | |
204 | ------------------------------------------------------------------------------------ | |
205 | ls -alh /usr/bin/ | |
206 | ls -alh /sbin/ | |
207 | dpkg -l | |
208 | dpkg --get-selections | grep -v deinstall | |
209 | rpm -qa | |
210 | ls -alh /var/cache/apt/archives | |
211 | ls -alh /var/cache/yum/ | |
212 | ||
213 | ||
214 | Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? | |
215 | ------------------------------------------------------------------------------------ | |
216 | cat /etc/syslog.conf | |
217 | cat /etc/chttp.conf | |
218 | cat /etc/lighttpd.conf | |
219 | cat /etc/cups/cupsd.conf | |
220 | cat /etc/inetd.conf | |
221 | cat /etc/apache2/apache2.conf | |
222 | cat /etc/my.conf | |
223 | cat /etc/httpd/conf/httpd.conf | |
224 | cat /opt/lampp/etc/httpd.conf | |
225 | ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ | |
226 | ||
227 | ||
228 | ||
229 | What jobs are scheduled? | |
230 | ------------------------ | |
231 | crontab -l | |
232 | ls -alh /var/spool/cron | |
233 | ls -al /etc/ | grep cron | |
234 | ls -al /etc/cron* | |
235 | cat /etc/cron* | |
236 | cat /etc/at.allow | |
237 | cat /etc/at.deny | |
238 | cat /etc/cron.allow | |
239 | cat /etc/cron.deny | |
240 | cat /etc/crontab | |
241 | cat /etc/anacrontab | |
242 | cat /var/spool/cron/crontabs/root | |
243 | ||
244 | ||
245 | Any plain text usernames and/or passwords? | |
246 | ------------------------------------------ | |
247 | grep -i user [filename] | |
248 | grep -i pass [filename] | |
249 | grep -C 5 "password" [filename] | |
250 | find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords | |
251 | ||
252 | ||
253 | What NIC(s) does the system have? Is it connected to another network? | |
254 | --------------------------------------------------------------------- | |
255 | /sbin/ifconfig -a | |
256 | cat /etc/network/interfaces | |
257 | cat /etc/sysconfig/network | |
258 | ||
259 | ||
260 | What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? | |
261 | ------------------------------------------------------------------------------------------------------------------------ | |
262 | cat /etc/resolv.conf | |
263 | cat /etc/sysconfig/network | |
264 | cat /etc/networks | |
265 | iptables -L | |
266 | hostname | |
267 | dnsdomainname | |
268 | ||
269 | What other users & hosts are communicating with the system? | |
270 | ----------------------------------------------------------- | |
271 | lsof -i | |
272 | lsof -i :80 | |
273 | grep 80 /etc/services | |
274 | netstat -antup | |
275 | netstat -antpx | |
276 | netstat -tulpn | |
277 | chkconfig --list | |
278 | chkconfig --list | grep 3:on | |
279 | last | |
280 | w | |
281 | ||
282 | ||
283 | ||
284 | Whats cached? IP and/or MAC addresses | |
285 | ------------------------------------- | |
286 | arp -e | |
287 | route | |
288 | /sbin/route -nee | |
289 | ||
290 | ||
291 | Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? | |
292 | ------------------------------------------------------------------------------------------ | |
293 | id | |
294 | who | |
295 | w | |
296 | last | |
297 | cat /etc/passwd | cut -d: # List of users | |
298 | grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users | |
299 | awk -F: '($3 == "0") {print}' /etc/passwd # List of super users | |
300 | cat /etc/sudoers | |
301 | sudo -l | |
302 | ||
303 | ||
304 | ||
305 | What sensitive files can be found? | |
306 | ---------------------------------- | |
307 | cat /etc/passwd | |
308 | cat /etc/group | |
309 | cat /etc/shadow | |
310 | ls -alh /var/mail/ | |
311 | ||
312 | ||
313 | ||
314 | Anything “interesting” in the home directorie(s)? If it’s possible to access | |
315 | ---------------------------------------------------------------------------- | |
316 | ls -ahlR /root/ | |
317 | ls -ahlR /home/ | |
318 | ||
319 | ||
320 | Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords | |
321 | --------------------------------------------------------------------------------------------------------------------------- | |
322 | cat /var/apache2/config.inc | |
323 | cat /var/lib/mysql/mysql/user.MYD | |
324 | cat /root/anaconda-ks.cfg | |
325 | ||
326 | ||
327 | What has the user being doing? Is there any password in plain text? What have they been edting? | |
328 | ----------------------------------------------------------------------------------------------- | |
329 | cat ~/.bash_history | |
330 | cat ~/.nano_history | |
331 | cat ~/.atftp_history | |
332 | cat ~/.mysql_history | |
333 | cat ~/.php_history | |
334 | ||
335 | ||
336 | ||
337 | What user information can be found? | |
338 | ----------------------------------- | |
339 | cat ~/.bashrc | |
340 | cat ~/.profile | |
341 | cat /var/mail/root | |
342 | cat /var/spool/mail/root | |
343 | ||
344 | ||
345 | Can private-key information be found? | |
346 | ------------------------------------- | |
347 | cat ~/.ssh/authorized_keys | |
348 | cat ~/.ssh/identity.pub | |
349 | cat ~/.ssh/identity | |
350 | cat ~/.ssh/id_rsa.pub | |
351 | cat ~/.ssh/id_rsa | |
352 | cat ~/.ssh/id_dsa.pub | |
353 | cat ~/.ssh/id_dsa | |
354 | cat /etc/ssh/ssh_config | |
355 | cat /etc/ssh/sshd_config | |
356 | cat /etc/ssh/ssh_host_dsa_key.pub | |
357 | cat /etc/ssh/ssh_host_dsa_key | |
358 | cat /etc/ssh/ssh_host_rsa_key.pub | |
359 | cat /etc/ssh/ssh_host_rsa_key | |
360 | cat /etc/ssh/ssh_host_key.pub | |
361 | cat /etc/ssh/ssh_host_key | |
362 | ||
363 | ||
364 | Any settings/files (hidden) on website? Any settings file with database information? | |
365 | ------------------------------------------------------------------------------------ | |
366 | ls -alhR /var/www/ | |
367 | ls -alhR /srv/www/htdocs/ | |
368 | ls -alhR /usr/local/www/apache22/data/ | |
369 | ls -alhR /opt/lampp/htdocs/ | |
370 | ls -alhR /var/www/html/ | |
371 | ||
372 | ||
373 | Is there anything in the log file(s) (Could help with “Local File Includes”!) | |
374 | ----------------------------------------------------------------------------- | |
375 | cat /etc/httpd/logs/access_log | |
376 | cat /etc/httpd/logs/access.log | |
377 | cat /etc/httpd/logs/error_log | |
378 | cat /etc/httpd/logs/error.log | |
379 | cat /var/log/apache2/access_log | |
380 | cat /var/log/apache2/access.log | |
381 | cat /var/log/apache2/error_log | |
382 | cat /var/log/apache2/error.log | |
383 | cat /var/log/apache/access_log | |
384 | cat /var/log/apache/access.log | |
385 | cat /var/log/auth.log | |
386 | cat /var/log/chttp.log | |
387 | cat /var/log/cups/error_log | |
388 | cat /var/log/dpkg.log | |
389 | cat /var/log/faillog | |
390 | cat /var/log/httpd/access_log | |
391 | cat /var/log/httpd/access.log | |
392 | cat /var/log/httpd/error_log | |
393 | cat /var/log/httpd/error.log | |
394 | cat /var/log/lastlog | |
395 | cat /var/log/lighttpd/access.log | |
396 | cat /var/log/lighttpd/error.log | |
397 | cat /var/log/lighttpd/lighttpd.access.log | |
398 | cat /var/log/lighttpd/lighttpd.error.log | |
399 | cat /var/log/messages | |
400 | cat /var/log/secure | |
401 | cat /var/log/syslog | |
402 | cat /var/log/wtmp | |
403 | cat /var/log/xferlog | |
404 | cat /var/log/yum.log | |
405 | cat /var/run/utmp | |
406 | cat /var/webmin/miniserv.log | |
407 | cat /var/www/logs/access_log | |
408 | cat /var/www/logs/access.log | |
409 | ls -alh /var/lib/dhcp3/ | |
410 | ls -alh /var/log/postgresql/ | |
411 | ls -alh /var/log/proftpd/ | |
412 | ls -alh /var/log/samba/ | |
413 | ||
414 | Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp | |
415 | ||
416 | ||
417 | ########################### | |
418 | # Target IP Determination # | |
419 | ########################### | |
420 | - This portion starts the actual workshop content | |
421 | - Zone Transfer fails on most domains, but here is an example of one that works: | |
422 | dig axfr heartinternet.co.uk @ns.heartinternet.co.uk | |
423 | ||
424 | ||
425 | - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce | |
426 | perl blindcrawl.pl -d motorola.com | |
427 | Look up the IP addresses at: | |
428 | http://www.networksolutions.com/whois/index.jsp | |
429 | ||
430 | ||
431 | - Note: If you are on a different machine and need to download blindcrawl can you download it this way: | |
432 | wget dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl | |
433 | chmod +x blindcrawl.pl | |
434 | ||
435 | ||
436 | ||
437 | cd ~/toolz/fierce2 | |
438 | sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim subversion | |
439 | strategicsec | |
440 | ||
441 | ||
442 | - Note: Only run this 'svn co' command below if you are NOT on the strategicsec VM: | |
443 | svn co https://svn.assembla.com/svn/fierce/fierce2/trunk/ fierce2/ | |
444 | ||
445 | ||
446 | cd ~/toolz/fierce2 | |
447 | wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz | |
448 | tar -zxvf Template-Toolkit-2.14.tar.gz | |
449 | cd Template-Toolkit-2.14/ | |
450 | perl Makefile.PL | |
451 | y | |
452 | y | |
453 | n | |
454 | y | |
455 | sudo make install | |
456 | strategicsec | |
457 | ||
458 | cd .. | |
459 | ||
460 | sudo bash install.sh | |
461 | strategicsec | |
462 | ||
463 | ./fierce | |
464 | ||
465 | ./fierce -dns motorola.com | |
466 | ||
467 | cd ~/toolz/ | |
468 | ||
469 | - Note: Only run these 'wget, gcc, chmod' commands below if you are NOT on the strategicsec VM: | |
470 | wget https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c | |
471 | gcc -o ipcrawl ipcrawl.c | |
472 | chmod +x ipcrawl | |
473 | ||
474 | ||
475 | ||
476 | - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is | |
477 | cd ~/toolz/ | |
478 | ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range) | |
479 | ||
480 | ||
481 | sudo nmap -sL 148.87.1.0-255 | |
482 | strategicsec | |
483 | ||
484 | sudo nmap -sL 148.87.1.0-255 | grep oracle | |
485 | strategicsec | |
486 | ||
487 | - Reference: http://blog.depthsecurity.com/2012/01/obtaining-hostdomain-names-through-ssl.html | |
488 | sudo nmap -p 443,444,8443,8080,8088 --script=ssl-cert --open 144.189.100.1-254 | |
489 | strategicsec | |
490 | ||
491 | ||
492 | ||
493 | ||
494 | ########################### | |
495 | # Load Balancer Detection # | |
496 | ########################### | |
497 | ||
498 | - Here are some options to use for identifying load balancers: | |
499 | - http://toolbar.netcraft.com/site_report/ | |
500 | - Firefox LiveHTTP Headers | |
501 | ||
502 | ||
503 | - Here are some command-line options to use for identifying load balancers: | |
504 | ||
505 | dig google.com | |
506 | ||
507 | cd ~/toolz | |
508 | ./lbd-0.1.sh google.com | |
509 | ||
510 | ||
511 | halberd microsoft.com | |
512 | halberd motorola.com | |
513 | halberd oracle.com | |
514 | ||
515 | ||
516 | ||
517 | ||
518 | ||
519 | ###################################### | |
520 | # Web Application Firewall Detection # | |
521 | ###################################### | |
522 | ||
523 | cd ~/toolz/wafw00f | |
524 | python wafw00f.py http://www.oracle.com | |
525 | python wafw00f.py http://www.strategicsec.com | |
526 | ||
527 | ||
528 | cd ~/toolz/ | |
529 | sudo nmap -p 80 --script http-waf-detect.nse oracle.com | |
530 | strategicsec | |
531 | ||
532 | sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov | |
533 | strategicsec | |
534 | ||
535 | ||
536 | ######################### | |
537 | # Playing with Nmap NSE # | |
538 | ######################### | |
539 | ||
540 | nmap -Pn -p80 --script ip-geolocation-* strategicsec.com | |
541 | ||
542 | nmap -p80 --script dns-brute strategicsec.com | |
543 | ||
544 | nmap --script http-robtex-reverse-ip secore.info | |
545 | ||
546 | nmap -Pn -p80 --script=http-headers strategicsec.com | |
547 | ||
548 | ||
549 | ls /usr/share/nmap/scripts | grep http | |
550 | nmap -Pn -p80 --script=http-* strategicsec.com | |
551 | ||
552 | ############ | |
553 | # Nmap NSE # | |
554 | ############ | |
555 | ||
556 | - Reference for this tutorial is: | |
557 | https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/ | |
558 | ||
559 | ---------------------------------------------------------------------- | |
560 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
561 | strategicsec | |
562 | ||
563 | ||
564 | ||
565 | -- The Head Section -- | |
566 | -- The Rule Section -- | |
567 | portrule = function(host, port) | |
568 | return port.protocol == "tcp" | |
569 | and port.number == 80 | |
570 | and port.state == "open" | |
571 | end | |
572 | ||
573 | -- The Action Section -- | |
574 | action = function(host, port) | |
575 | return "I love Linux!" | |
576 | end | |
577 | ---------------------------------------------------------------------- | |
578 | ||
579 | - Ok, now that we've made that change let's run the script | |
580 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443 | |
581 | ||
582 | ||
583 | ||
584 | ||
585 | ||
586 | ||
587 | ---------------------------------------------------------------------- | |
588 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
589 | ||
590 | -- The Head Section -- | |
591 | local shortport = require "shortport" | |
592 | ||
593 | -- The Rule Section -- | |
594 | portrule = shortport.http | |
595 | ||
596 | ||
597 | -- The Action Section -- | |
598 | action = function(host, port) | |
599 | return "I still love Linux!" | |
600 | end | |
601 | ---------------------------------------------------------------------- | |
602 | ||
603 | - Ok, now that we've made that change let's run the script | |
604 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse strategicsec.com -p 22,80,443 | |
605 | ||
606 | ||
607 | ||
608 | ||
609 | ||
610 | ||
611 | ||
612 | OK, now let's have some fun with my buddy Carlos Perez's website which you should have been looking at quite a lot if you were trying to get Ruby 2.1.5 working. | |
613 | ||
614 | ---------------------------------------------------------------------- | |
615 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
616 | ||
617 | -- The Head Section -- | |
618 | local shortport = require "shortport" | |
619 | local http = require "http" | |
620 | ||
621 | -- The Rule Section -- | |
622 | portrule = shortport.http | |
623 | ||
624 | -- The Action Section -- | |
625 | action = function(host, port) | |
626 | ||
627 | local uri = "/installing-metasploit-in-ubunt/" | |
628 | local response = http.get(host, port, uri) | |
629 | return response.status | |
630 | ||
631 | end | |
632 | ---------------------------------------------------------------------- | |
633 | ||
634 | - Ok, now that we've made that change let's run the script | |
635 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
636 | ||
637 | ||
638 | ||
639 | ||
640 | ---------------------------------------------------------------------- | |
641 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
642 | ||
643 | -- The Head Section -- | |
644 | local shortport = require "shortport" | |
645 | local http = require "http" | |
646 | ||
647 | -- The Rule Section -- | |
648 | portrule = shortport.http | |
649 | ||
650 | -- The Action Section -- | |
651 | action = function(host, port) | |
652 | ||
653 | local uri = "/installing-metasploit-in-ubunt/" | |
654 | local response = http.get(host, port, uri) | |
655 | ||
656 | if ( response.status == 200 ) then | |
657 | return response.body | |
658 | end | |
659 | ||
660 | end | |
661 | ---------------------------------------------------------------------- | |
662 | ||
663 | - Ok, now that we've made that change let's run the script | |
664 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
665 | ||
666 | ||
667 | ||
668 | ||
669 | ||
670 | ||
671 | ||
672 | ||
673 | ||
674 | ---------------------------------------------------------------------- | |
675 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
676 | ||
677 | -- The Head Section -- | |
678 | local shortport = require "shortport" | |
679 | local http = require "http" | |
680 | local string = require "string" | |
681 | ||
682 | -- The Rule Section -- | |
683 | portrule = shortport.http | |
684 | ||
685 | -- The Action Section -- | |
686 | action = function(host, port) | |
687 | ||
688 | local uri = "/installing-metasploit-in-ubunt/" | |
689 | local response = http.get(host, port, uri) | |
690 | ||
691 | if ( response.status == 200 ) then | |
692 | local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian") | |
693 | return title | |
694 | end | |
695 | ||
696 | end | |
697 | ---------------------------------------------------------------------- | |
698 | ||
699 | - Ok, now that we've made that change let's run the script | |
700 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
701 | ||
702 | ||
703 | ||
704 | ||
705 | ||
706 | ||
707 | ||
708 | ---------------------------------------------------------------------- | |
709 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
710 | ||
711 | -- The Head Section -- | |
712 | local shortport = require "shortport" | |
713 | local http = require "http" | |
714 | local string = require "string" | |
715 | ||
716 | -- The Rule Section -- | |
717 | portrule = shortport.http | |
718 | ||
719 | -- The Action Section -- | |
720 | action = function(host, port) | |
721 | ||
722 | local uri = "/installing-metasploit-in-ubunt/" | |
723 | local response = http.get(host, port, uri) | |
724 | ||
725 | if ( response.status == 200 ) then | |
726 | local title = string.match(response.body, "Installing Metasploit in Ubuntu and Debian") | |
727 | ||
728 | if (title) then | |
729 | return "Vulnerable" | |
730 | else | |
731 | return "Not Vulnerable" | |
732 | end | |
733 | end | |
734 | end | |
735 | ||
736 | ---------------------------------------------------------------------- | |
737 | ||
738 | - Ok, now that we've made that change let's run the script | |
739 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
740 | ||
741 | ||
742 | ||
743 | #################### | |
744 | # Installing Scapy # | |
745 | #################### | |
746 | ||
747 | sudo apt-get update | |
748 | sudo apt-get install python-scapy python-pyx python-gnuplot | |
749 | ||
750 | ||
751 | - Reference Page For All Of The Commands We Will Be Running: | |
752 | http://samsclass.info/124/proj11/proj17-scapy.html | |
753 | ||
754 | ||
755 | ||
756 | ||
757 | ||
758 | - To run Scapy interactively | |
759 | ||
760 | sudo scapy | |
761 | ||
762 | ||
763 | ||
764 | ##################################### | |
765 | # Sending ICMPv4 Packets with scapy # | |
766 | ##################################### | |
767 | ||
768 | - In the Linux machine, in the Terminal window, at the >>> prompt, type this command, and then press the Enter key: | |
769 | ||
770 | i = IP() | |
771 | ||
772 | ||
773 | ||
774 | ||
775 | - This creates an object named i of type IP. To see the properties of that object, use the display() method with this command: | |
776 | ||
777 | i.display() | |
778 | ||
779 | ||
780 | ||
781 | ||
782 | - Use these commands to set the destination IP address and display the properties of the i object again. Replace the IP address in the first command with the IP address of your target Windows machine: | |
783 | ||
784 | i.dst="192.168.54.184" | |
785 | ||
786 | i.display() | |
787 | ||
788 | ||
789 | ||
790 | ||
791 | - Notice that scapy automatically fills in your machine's source IP address. | |
792 | ||
793 | - Use these commands to create an object named ic of type ICMP and display its properties: | |
794 | ||
795 | ||
796 | ic = ICMP() | |
797 | ||
798 | ic.display() | |
799 | ||
800 | ||
801 | ||
802 | ||
803 | ||
804 | - Use this command to send the packet onto the network and listen to a single packet in response. Note that the third character is the numeral 1, not a lowercase L: | |
805 | ||
806 | sr1(i/ic) | |
807 | ||
808 | ||
809 | ||
810 | ||
811 | ||
812 | - This command sends and receives one packet, of type IP at layer 3 and ICMP at layer 4. | |
813 | ||
814 | ||
815 | - The Padding section shows the portion of the packet that carries higher-level data. In this case it contains only zeroes as padding. | |
816 | ||
817 | - Use this command to send a packet that is IP at layer 3, ICMP at layer 4, and that contains data with your name in it (replace YOUR NAME with your own name): | |
818 | ||
819 | ||
820 | sr1(i/ic/"YOUR NAME") | |
821 | ||
822 | ||
823 | - You should see a reply with a Raw section containing your name. | |
824 | ||
825 | ||
826 | ||
827 | ################################### | |
828 | # Sending a UDP Packet with Scapy # | |
829 | ################################### | |
830 | ||
831 | ||
832 | - Preparing the Target | |
833 | $ ncat -ulvp 4444 | |
834 | ||
835 | ||
836 | ||
837 | ||
838 | --open another terminal-- | |
839 | In the Linux machine, in the Terminal window, at the >>> prompt, type these commands, and then press the Enter key: | |
840 | ||
841 | u = UDP() | |
842 | ||
843 | u.display() | |
844 | ||
845 | ||
846 | ||
847 | - This creates an object named u of type UDP, and displays its properties. | |
848 | ||
849 | - Execute these commands to change the destination port to 4444 and display the properties again: | |
850 | ||
851 | i.dst="192.168.54.184" <--- replace this with a host that you can run netcat on (ex: another VM or your host computer) | |
852 | ||
853 | u.dport = 4444 | |
854 | ||
855 | u.display() | |
856 | ||
857 | ||
858 | ||
859 | - Execute this command to send the packet to the Windows machine: | |
860 | ||
861 | send(i/u/"YOUR NAME SENT VIA UDP\n") | |
862 | ||
863 | ||
864 | ||
865 | - On the Windows target, you should see the message appear | |
866 | ||
867 | ||
868 | p = sr1(IP(dst="8.8.8.8")/UDP()/DNS(rd=1,qd=DNSQR(qname="strategicsec.com"))) | |
869 | ||
870 | ||
871 | p=sr(IP(dst="192.168.230.2")/TCP(dport=[23,80,53,443])) | |
872 | ||
873 | ||
874 | p=sr(IP(dst="192.168.230.2")/TCP(dport=[80])) | |
875 | ||
876 | ||
877 | traceroute (["strategicsec.com"], maxttl=20) | |
878 | This is actually an ICMP & TCP traceroute, default destination is port 80 | |
879 | ||
880 | ||
881 | traceroute (["strategicsec.com"], dport=443, maxttl=20) | |
882 | ||
883 | ||
884 | ||
885 | ############################ | |
886 | # Ping Sweeping with Scapy # | |
887 | ############################ | |
888 | ||
889 | ---------------------------------------------------------------------- | |
890 | vi scapy-pingsweep.py | |
891 | ||
892 | ||
893 | #!/usr/bin/python | |
894 | from scapy.all import * | |
895 | ||
896 | TIMEOUT = 2 | |
897 | conf.verb = 0 | |
898 | for ip in range(0, 256): | |
899 | packet = IP(dst="192.168.1." + str(ip), ttl=20)/ICMP() | |
900 | reply = sr1(packet, timeout=TIMEOUT) | |
901 | if not (reply is None): | |
902 | print reply.dst, "is online" | |
903 | else: | |
904 | print "Timeout waiting for %s" % packet[IP].dst | |
905 | ---------------------------------------------------------------------- | |
906 | ||
907 | ||
908 | ############################################### | |
909 | # Checking out some scapy based port scanners # | |
910 | ############################################### | |
911 | ||
912 | wget https://s3.amazonaws.com/SecureNinja/Python/rdp_scan.py | |
913 | ||
914 | cat rdp_scan.py | |
915 | ||
916 | sudo python rdp_scan.py 192.168.1.250 | |
917 | ||
918 | ||
919 | ||
920 | Log in to your Ubuntu system with the username 'malware' and the password 'malware'. | |
921 | ||
922 | After logging please open a terminal window and type the following commands: | |
923 | ||
924 | cd Desktop/ | |
925 | ||
926 | ||
927 | This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected': | |
928 | ||
929 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
930 | wget http://www.beenuarora.com/code/analyse_malware.py | |
931 | ||
932 | unzip malware-password-is-infected.zip | |
933 | infected | |
934 | ||
935 | file malware.exe | |
936 | ||
937 | mv malware.exe malware.pdf | |
938 | ||
939 | file malware.pdf | |
940 | ||
941 | mv malware.pdf malware.exe | |
942 | ||
943 | hexdump -n 2 -C malware.exe | |
944 | ||
945 | ***What is '4d 5a' or 'MZ'*** | |
946 | Reference: http://www.garykessler.net/library/file_sigs.html | |
947 | ||
948 | ||
949 | objdump -x malware.exe | |
950 | ||
951 | strings malware.exe | |
952 | ||
953 | strings --all malware.exe | head -n 6 | |
954 | ||
955 | strings malware.exe | grep -i dll | |
956 | ||
957 | strings malware.exe | grep -i library | |
958 | ||
959 | strings malware.exe | grep -i reg | |
960 | ||
961 | strings malware.exe | grep -i hkey | |
962 | ||
963 | strings malware.exe | grep -i hku | |
964 | ||
965 | - We didn't see anything like HKLM, HKCU or other registry type stuff | |
966 | ||
967 | strings malware.exe | grep -i irc | |
968 | ||
969 | strings malware.exe | grep -i join | |
970 | ||
971 | strings malware.exe | grep -i admin | |
972 | ||
973 | strings malware.exe | grep -i list | |
974 | ||
975 | ||
976 | - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands | |
977 | sudo apt-get install -y python-pefile | |
978 | ||
979 | vi analyse_malware.py | |
980 | ||
981 | python analyse_malware.py malware.exe | |
982 | ||
983 | ||
984 | Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with: | |
985 | http://derekmorton.name/files/malware_12-14-12.sql.bz2 | |
986 | ||
987 | ||
988 | Malware Repositories: | |
989 | http://malshare.com/index.php | |
990 | http://www.malwareblacklist.com/ | |
991 | http://www.virusign.com/ | |
992 | http://virusshare.com/ | |
993 | http://www.tekdefense.com/downloads/malware-samples/ | |
994 | ||
995 | ############################### | |
996 | # Creating a Malware Database # | |
997 | ############################### | |
998 | ||
999 | Creating a malware database (sqlite) | |
1000 | ------------------------------------ | |
1001 | wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
1002 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
1003 | unzip malware-password-is-infected.zip | |
1004 | infected | |
1005 | python avsubmit.py --init | |
1006 | python avsubmit.py -f malware.exe -e | |
1007 | ||
1008 | ||
1009 | ||
1010 | ||
1011 | ||
1012 | Creating a malware database (mysql) | |
1013 | ----------------------------------- | |
1014 | Step 1: Installing MySQL database | |
1015 | Run the following command in the terminal: | |
1016 | ||
1017 | sudo apt-get install mysql-server | |
1018 | ||
1019 | Step 2: Installing Python MySQLdb module | |
1020 | Run the following command in the terminal: | |
1021 | ||
1022 | sudo apt-get build-dep python-mysqldb | |
1023 | sudo apt-get install python-mysqldb | |
1024 | ||
1025 | Step 3: Logging in | |
1026 | Run the following command in the terminal: | |
1027 | ||
1028 | mysql -u root -p (set a password of 'malware') | |
1029 | ||
1030 | Then create one database by running following command: | |
1031 | ||
1032 | create database malware; | |
1033 | ||
1034 | ||
1035 | ||
1036 | wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
1037 | ||
1038 | vi mal_to_db.py -i (fill in database connection information) | |
1039 | ||
1040 | python mal_to_db.py -i | |
1041 | ||
1042 | python mal_to_db.py -i -f malware.exe -u | |
1043 | ||
1044 | ||
1045 | mysql -u root -p | |
1046 | malware | |
1047 | ||
1048 | mysql> use malware; | |
1049 | ||
1050 | select id,md5,sha1,sha256,time FROM files; | |
1051 | ||
1052 | mysql> quit; | |
1053 | ||
1054 | ||
1055 | ||
1056 | ||
1057 | ||
1058 | ############################## | |
1059 | # Lesson 32: Setting up Yara # | |
1060 | ############################## | |
1061 | ||
1062 | ||
1063 | sudo apt-get install clamav clamav-freshclam | |
1064 | ||
1065 | sudo freshclam | |
1066 | ||
1067 | sudo Clamscan | |
1068 | ||
1069 | sudo apt-get install libpcre3 libpcre3-dev | |
1070 | ||
1071 | wget https://github.com/plusvic/yara/archive/v3.1.0.tar.gz | |
1072 | ||
1073 | wget http://yara-project.googlecode.com/files/yara-python-1.4.tar.gz | |
1074 | ||
1075 | tar -zxvf v3.1.0.tar.gz | |
1076 | ||
1077 | cd yara-3.1.0/ | |
1078 | ||
1079 | ./bootstrap.sh | |
1080 | ||
1081 | ./configure | |
1082 | ||
1083 | make | |
1084 | ||
1085 | make check | |
1086 | ||
1087 | sudo make install | |
1088 | ||
1089 | cd yara-python/ | |
1090 | ||
1091 | python setup.py build | |
1092 | ||
1093 | sudo python setup.py install | |
1094 | ||
1095 | cd .. | |
1096 | ||
1097 | yara -v | |
1098 | ||
1099 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/3/clamav_to_yara.py | |
1100 | ||
1101 | sigtool -u /var/lib/clamav/main.cvd | |
1102 | ||
1103 | python clamav_to_yara.py -f main.ndb -o clamav.yara | |
1104 | ||
1105 | wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/malware-password-is-infected.zip | |
1106 | ||
1107 | unzip malware-password-is-infected.zip | |
1108 | infected | |
1109 | ||
1110 | mkdir malcode/ | |
1111 | ||
1112 | mv malware.exe malcode/ | |
1113 | ||
1114 | vi testrule.yara | |
1115 | ---------------- | |
1116 | rule IsPE | |
1117 | { | |
1118 | meta: | |
1119 | description = "Windows executable file" | |
1120 | ||
1121 | condition: | |
1122 | // MZ signature at offset 0 and ... | |
1123 | uint16(0) == 0x5A4D and | |
1124 | // ... PE signature at offset stored in MZ header at 0x3C | |
1125 | uint32(uint32(0x3C)) == 0x00004550 | |
1126 | } | |
1127 | ||
1128 | rule has_no_DEP | |
1129 | { | |
1130 | meta: | |
1131 | description = "DEP is not enabled" | |
1132 | ||
1133 | condition: | |
1134 | IsPE and | |
1135 | uint16(uint32(0x3C)+0x5E) & 0x00100 == 0 | |
1136 | } | |
1137 | ||
1138 | rule has_no_ASLR | |
1139 | { | |
1140 | meta: | |
1141 | description = "ASLR is not enabled" | |
1142 | ||
1143 | condition: | |
1144 | IsPE and | |
1145 | uint16(uint32(0x3C)+0x5E) & 0x0040 == 0 | |
1146 | } | |
1147 | ---------------- | |
1148 | ||
1149 | ||
1150 | yara testrule.yara malcode/malware.exe | |
1151 | ||
1152 | mkdir rules/ | |
1153 | ||
1154 | cd rules/ | |
1155 | ||
1156 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/5/capabilities.yara | |
1157 | ||
1158 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/6/magic.yara | |
1159 | ||
1160 | wget https://malwarecookbook.googlecode.com/svn-history/r5/trunk/3/4/packer.yara | |
1161 | ||
1162 | cd .. | |
1163 | ||
1164 | yara rules/ malcode/malware.exe | |
1165 | ||
1166 | wget https://github.com/Xen0ph0n/YaraGenerator/archive/master.zip | |
1167 | ||
1168 | unzip master.zip | |
1169 | ||
1170 | cd YaraGenerator-master/ | |
1171 | ||
1172 | python yaraGenerator.py ../malcode/ -r Test-Rule-2 -a "Joe McCray" -d "Test Rule Made With Yara Generator" -t "TEST" -f "exe" | |
1173 | ||
1174 | cat Test-Rule-2.yar | |
1175 | ||
1176 | wget http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
1177 | ||
1178 | yara Test-Rule-2.yar putty.exe | |
1179 | ||
1180 | ||
1181 | ||
1182 | ||
1183 | #################### | |
1184 | # Additional Tasks # | |
1185 | #################### | |
1186 | ||
1187 | - PE Scanner: | |
1188 | https://malwarecookbook.googlecode.com/svn/trunk/3/8/pescanner.py | |
1189 | http://www.beenuarora.com/code/analyse_malware.py | |
1190 | ||
1191 | - AV submission: | |
1192 | http://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py | |
1193 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/vtsubmit.py | |
1194 | ||
1195 | - Malware Database Creation: | |
1196 | https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py | |
1197 | ||
1198 | ||
1199 | ||
1200 | ||
1201 | cd /home/malware/Desktop/Browser\ Forensics | |
1202 | ||
1203 | ls | grep pcap | |
1204 | ||
1205 | perl chaosreader.pl suspicious-time.pcap | |
1206 | ||
1207 | firefox index.html | |
1208 | ||
1209 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | |
1210 | ||
1211 | cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr | |
1212 | ||
1213 | sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs | |
1214 | ||
1215 | ||
1216 | ||
1217 | ||
1218 | for i in session_00[0-9]*.www.html; do srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | |
1219 | ||
1220 | ||
1221 | tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
1222 | ||
1223 | ||
1224 | tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u | |
1225 | ||
1226 | ||
1227 | tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?' | |
1228 | ||
1229 | ||
1230 | tshark –r suspicious-time.pcap -Tfields -e “eth.src” | sort | uniq | |
1231 | ||
1232 | ||
1233 | tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq | |
1234 | ||
1235 | tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq | |
1236 | ||
1237 | tshark -r suspicious-time.pcap -qz ip_hosts,tree | |
1238 | ||
1239 | tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq | |
1240 | ||
1241 | tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name" | |
1242 | ||
1243 | ||
1244 | whois rapidshare.com.eyu32.ru | |
1245 | ||
1246 | whois sploitme.com.cn | |
1247 | ||
1248 | ||
1249 | ||
1250 | ||
1251 | ||
1252 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | |
1253 | ||
1254 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org' | |
1255 | ||
1256 | tshark -r suspicious-time.pcap -qz http_req,tree | |
1257 | ||
1258 | tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst | |
1259 | ||
1260 | tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g' | |
1261 | ||
1262 | ||
1263 | ||
1264 | ||
1265 | ||
1266 | cd /home/malware/Desktop/Banking\ Troubles/Volatility | |
1267 | ||
1268 | python volatility | |
1269 | python volatility pslist -f ../hn_forensics.vmem | |
1270 | python volatility connscan2 -f ../hn_forensics.vmem | |
1271 | python volatility memdmp -p 888 -f ../hn_forensics.vmem | |
1272 | python volatility memdmp -p 1752 -f ../hn_forensics.vmem | |
1273 | ***Takes a few min*** | |
1274 | strings 1752.dmp | grep "^http://" | sort | uniq | |
1275 | strings 1752.dmp | grep "Ahttps://" | uniq -u | |
1276 | cd .. | |
1277 | cd foremost-1.5.7/ | |
1278 | foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2 | |
1279 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/ | |
1280 | cat audit.txt | |
1281 | cd pdf | |
1282 | ls | |
1283 | grep -i javascript *.pdf | |
1284 | ||
1285 | ||
1286 | ||
1287 | cd /home/malware/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf | |
1288 | wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip | |
1289 | unzip pdf-parser_V0_6_4.zip | |
1290 | python pdf-parser.py -s javascript --raw 00600328.pdf | |
1291 | python pdf-parser.py --object 11 00600328.pdf | |
1292 | python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js | |
1293 | ||
1294 | cat malicious.js | |
1295 | ||
1296 | ||
1297 | *****Sorry - no time to cover javascript de-obfuscation today***** | |
1298 | ||
1299 | ||
1300 | cd /home/malware/Desktop/Banking\ Troubles/Volatility/ | |
1301 | python volatility files -f ../hn_forensics.vmem > files | |
1302 | cat files | less | |
1303 | python volatility malfind -f ../hn_forensics.vmem -d out | |
1304 | ls out/ | |
1305 | python volatility hivescan -f ../hn_forensics.vmem | |
1306 | python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon | |
1307 | for file in $(ls *.dmp); do echo $file; strings $file | grep bankofamerica; done |