View difference between Paste ID: <a href="/eGz7vPx3">eGz7vPx3</a> and <a href="/QXURDzmA">QXURDzmA</a> - Pastebin.com

View difference between Paste ID: eGz7vPx3 and QXURDzmA

SHOW: | | - or go back to the newest paste.

############################
# Download the Analysis VM #
############################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
user: infosecaddicts
pass: infosecaddicts




- Log in to your Ubuntu system with the username 'malware' and the password 'malware'.

###################################
# Day 1: Intro to Static Analysis #
###################################
cd Desktop/

- Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.

- This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':

- After logging please open a terminal window and type the following commands:
---------------------------Type This----------------------------------- 
sudo apt-get install -y python-pefile vim
wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate


 
wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip --no-check-certificate
wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
 
file malware.exe

     infected
mv malware.exe malware.pdf

file wannacry.exe
 
mv wannacry.exe malware.pdf
mv malware.pdf malware.exe

file malware.pdf
hexdump -n 2 -C malware.exe

mv malware.pdf wannacry.exe
 
hexdump -n 2 -C wannacry.exe
----------------------------------------------------------------------- 
Reference: 

 
 
***What is '4d 5a' or 'MZ'***
objdump -x malware.exe

http://www.garykessler.net/library/file_sigs.html
strings malware.exe

 
strings --all malware.exe | head -n 6

 
strings malware.exe | grep -i dll

objdump -x wannacry.exe
strings malware.exe | grep -i library

strings wannacry.exe
strings malware.exe | grep -i reg

strings --all wannacry.exe | head -n 6
strings malware.exe | grep -i hkey

strings wannacry.exe | grep -i dll
strings malware.exe | grep -i hku

strings wannacry.exe | grep -i library
							- We didn't see anything like HKLM, HKCU or other registry type stuff

strings wannacry.exe | grep -i reg
 
strings wannacry.exe | grep -i key
strings malware.exe | grep -i irc

strings wannacry.exe | grep -i rsa
strings malware.exe | grep -i join			

strings wannacry.exe | grep -i open
strings malware.exe | grep -i admin

strings wannacry.exe | grep -i get
strings malware.exe | grep -i list

strings wannacry.exe | grep -i mutex
 
							- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands

 
strings wannacry.exe | grep -i join        
sudo apt-get install -y python-pefile

     malware

 
vi analyse_malware.py

----------------------------------------------------------------------- 
python analyse_malware.py malware.exe


Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
 
Quick Google search for "wannacry ransomeware analysis"
 
 
Reference
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
 
- Yara Rule -
 
 
Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
cd Desktop/

 
wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip

Ok, let's look for the individual strings
 
 
---------------------------Type This----------------------------------- 
strings wannacry.exe | grep -i ooops
 
strings wannacry.exe | grep -i wanna
 
strings wannacry.exe | grep -i wcry
 
strings wannacry.exe | grep -i wannacry
 
strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....
-----------------------------------------------------------------------
 
 
 
 
 
 
####################################
# Tired of GREP - let's try Python #
####################################
Decided to make my own script for this kind of stuff in the future. I
 
Reference1:
https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
 
This is a really good script for the basics of static analysis
 
Reference:
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
 
 
This is really good for showing some good signatures to add to the Python script
 
 
Here is my own script using the signatures (started this yesterday, but still needs work):
https://pastebin.com/guxzCBmP
 
 
 
---------------------------Type This----------------------------------- 
wget https://pastebin.com/raw/guxzCBmP
 
 
mv guxzCBmP am.py
 
 
nano am.py
 
python am.py wannacry.exe
-----------------------------------------------------------------------


################################
# Good references for WannaCry #
################################
 
References:
 
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html






Building a Malware Scanner
--------------------------

---------------------------Type This-----------------------------------
mkdir ~/Desktop/malwarescanner

cd ~/Desktop/malwarescanner

wget https://github.com/jonahbaron/malwarescanner/archive/master.zip

unzip master.zip

cd malwarescanner-master/

python scanner.py -h

cat strings.txt

cat hashes.txt

mkdir ~/Desktop/malcode

cp ~/Desktop/malware.exe ~/Desktop/malcode

python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt

cd ~/Desktop/
-----------------------------------------------------------------------


#####################################################
# Analyzing Macro Embedded Malware                  #
# Reference:                                        #
# https://jon.glass/analyzes-dridex-malware-p1/     #
 -----------------------------------------------------------------------

---------------------------Type This-----------------------------------
cd ~/Desktop/


sudo pip install olefile
     

mkdir ~/Desktop/oledump

cd ~/Desktop/oledump

wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
 
unzip oledump_V0_0_22.zip
 
wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip

unzip 064016.zip
     infected

python oledump.py 064016.doc

python oledump.py 064016.doc -s A4 -v
-----------------------------------------------------------------------



- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams. 
- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’. 
sudo apt install -y python-pefile

---------------------------Type This-----------------------------------
python oledump.py 064016.doc -s A5 -v
-----------------------------------------------------------------------

- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.

---------------------------Type This-----------------------------------
python oledump.py 064016.doc -s A3 -v
----------------------------------------------------------------------- 

vi am.py

- Look for "GVhkjbjv" and you should see: 

 -----------------------------------------------------------------------


- Take that long blob that starts with 636D and finishes with 653B and paste it in:
http://www.rapidtables.com/convert/number/hex-to-ascii.htm




##############
# Yara Ninja #
##############
---------------------------Type This-----------------------------------
sudo apt-get remove -y yara


wget https://github.com/plusvic/yara/archive/v3.4.0.zip

sudo apt-get -y install libtool


unzip v3.4.0.zip

cd yara-3.4.0

./bootstrap.sh

./configure

make

sudo make install


yara -v

 -----------------------------------------------------------------------


wget https://github.com/Yara-Rules/rules/archive/master.zip

unzip master.zip

cd ~/Desktop

yara rules-master/packer.yar malcode/malware.exe
-----------------------------------------------------------------------



Places to get more Yara rules:
------------------------------
https://malwareconfig.com/static/yaraRules/
https://github.com/kevthehermit/YaraRules
https://github.com/VectraThreatLab/reyara



Yara rule sorting script:
-------------------------
https://github.com/mkayoh/yarasorter


---------------------------Type This-----------------------------------
cd ~/Desktop/rules-master
for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
cd ~/Desktop/
yara rules-master/master.yar malcode/malware.exe
 -----------------------------------------------------------------------










Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2


Malware Repositories:
---------------------
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/











###############################
# Creating a Malware Database #
###############################

Creating a malware database (sqlite)
---------------------------Type This-----------------------------------
sudo apt-get install -y python-simplejson python-simplejson-dbg


wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py
wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip

unzip malware-password-is-infected.zip
	infected

python avsubmit.py --init

python avsubmit.py -f malware.exe -e
-----------------------------------------------------------------------




Creating a malware database (mysql)
-----------------------------------
- Step 1: Installing MySQL database
- Run the following command in the terminal:
---------------------------Type This-----------------------------------
sudo apt-get install mysql-server
-----------------------------------------------------------------------
 -----------------------------------------------------------------------

- Step 2: Installing Python MySQLdb module
- Run the following command in the terminal:
---------------------------Type This-----------------------------------
sudo apt-get build-dep python-mysqldb


sudo apt-get install python-mysqldb

-----------------------------------------------------------------------

Step 3: Logging in 
Run the following command in the terminal:
---------------------------Type This-----------------------------------
mysql -u root -p					(set a password of 'malware')
-----------------------------------------------------------------------


- Then create one database by running following command:
---------------------------Type This-----------------------------------
 -----------------------------------------------------------------------


exit;

wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py

vi mal_to_db.py						(fill in database connection information)

python mal_to_db.py -i
-----------------------------------------------------------------------

------- check it to see if the files table was created ------

---------------------------Type This-----------------------------------
mysql -u root -p
	malware

show databases;

use malware;

show tables;

describe files;

exit;
-----------------------------------------------------------------------


- Now add the malicious file to the DB
---------------------------Type This-----------------------------------
python mal_to_db.py -f malware.exe -u
-----------------------------------------------------------------------


- Now check to see if it is in the DB
---------------------------Type This-----------------------------------
mysql -u root -p
	malware

mysql> use malware;

 -----------------------------------------------------------------------


mysql> quit;
------------------------------------------------------------------------










################################
# Day 2: Log and PCAP Analysis #
################################




 -----------------------------------------------------------------------
##############################################
# Log Analysis with Linux command-line tools #
##############################################
The following command line executables are found in the Mac as well as most Linux Distributions.
 
cat –  prints the content of a file in the terminal window
grep – searches and filters based on patterns
awk –  can sort each row into fields and display only what is needed
sed –  performs find and replace functions
sort – arranges output in an order
uniq – compares adjacent lines and can report, filter or provide a count of duplicates
 
 
 
 
##############
# Cisco Logs #
##############
 -----------------------------------------------------------------------

wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
----------------------------------------------------------------------- 
 
AWK Basics
----------
To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
---------------------------Type This-----------------------------------
cat cisco.log | awk '{print $5}' | tail -n 4
-----------------------------------------------------------------------
 
 
 
Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
---------------------------Type This-----------------------------------
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
-----------------------------------------------------------------------
---------------------------------

 
 
While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
---------------------------Type This-----------------------------------
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
 -----------------------------------------------------------------------

 
 
 
 
Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
---------------------------Type This-----------------------------------
cat cisco.log | grep %LINEPROTO-5-UPDOWN:
 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
 
cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
-----------------------------------------------------------------------
 
 



###############
# Apache Logs #
###############
---------------------------Type This-----------------------------------
wget https://s3.amazonaws.com/infosecaddictsfiles/access_log
-----------------------------------------------------------------------
 
# top 20 URLs from the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------

 
# top 20 URLS excluding POST data from the last 5000 hits
firefox index.html

tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------

 
# top 20 IPs from the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------

####################

# Intro to TCPDump #

####################
# top 20 URLs requested from a certain ip from the last 5000 hits
---------------------------Type This-----------------------------------
sudo apt-get install tcpdump
IP=141.101.80.187; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
IP=141.101.80.187; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------

Basic sniffing

--------------

# top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
sudo tcpdump -n

IP=141.101.80.187; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
IP=141.101.80.187; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy


sudo tcpdump -v -n

 
# top 20 referrers from the last 5000 hits
---------------------------Type This-----------------------------------
Getting the ethernet header (link layer headers)
tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
------------------------------------------------
tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.


sudo tcpdump -vv -n -e

 
# top 20 user agents from the last 5000 hits
Sniffing a particular interface

tail -5000 ./access_log | cut -d\  -f12- | sort | uniq -c | sort -rn | head -20
In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.


sudo tcpdump -D

 
# sum of data (in MB) transferred in the last 5000 hits
Filtering packets using expressions - Selecting protocols

tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
-----------------------------------------------------------------------
$ sudo tcpdump -n tcp



Particular host or port

-----------------------

Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101

#################################
$ sudo tcpdump -n 'src 192.168.1.101'
# Using Python for log analysis #
#################################
---------------------------Type This-----------------------------------
Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
wget https://s3.amazonaws.com/infosecaddictsfiles/access_log
 
$ sudo tcpdump -n 'udp and dst port 53'

cat access_log | grep 141.101.80.188
 
To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
cat access_log | grep 141.101.80.187
 
$ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
cat access_log | grep 108.162.216.204
 
cat access_log | grep 173.245.53.160
Search the network traffic using grep

cat access_log | grep 173.245.53.160 | wc -l
Grep can be used along with tcpdump to search the network traffic. Here is a very simple example

---------------------------------------------------------
$ sudo tcpdump -n -A | grep -e 'POST'

 
Take a look at the following reference:
So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
Here is quick example to sniff passwords using egrep

 

tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
Let's have some fun.....
---------------------------Type This-----------------------------------
python 

>>> f = open('access_log', "r")
#########

# NGrep #
>>> lines = f.readlines()
#########

>>> print lines
Install ngrep on Ubuntu

>>> lines[0]
$ sudo apt-get install ngrep

>>> lines[10]
 
Search network traffic for string "User-Agent: "
>>> lines[50]
 
$ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
>>> lines[1000]
 
In the above command :
>>> lines[5000]
a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80

b) The d option specifies the interface to sniff. eth0 in this case.
>>> lines[10000]
c) "User-Agent: " is the string to search for. All packets that have that string are displayed.

>>> print len(lines)
2. Search network packets for GET or POST requests :

>>> exit()
$ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80

 
The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).

---------------------------Type This-----------------------------------
3. ngrep without any options would simply capture all packets.
nano logread1.py
 
$ sudo ngrep


----------------------Paste this in the file----------------------------
Reference: 
## Open the file with read only permit
https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
f = open('access_log', "r")
 
$ sudo ngrep -d eth0 -n 3
## use readlines to read all lines in the file
## The variable "lines" is a list containing all lines
$ sudo ngrep -d any port 25
lines = f.readlines()
 
print lines
This will let you monitor all activity crossing source or destination port 25

(SMTP).

## close the file after reading the lines.
$ sudo ngrep -wi -d wlan0 'user|pass' port 6667
f.close()
 
$ sudo ngrep -wi -d any 'user|pass' port 21

 
 
Google the following:
        - python difference between readlines and readline
        - python readlines and readline
 
 

 
Can you write an if/then statement that looks for the following IP in the log file?
141.101.81.187
 
 
 
 
 
 
---------------------------------------------------------
Hint 1: Use Python to look for a value in a list
 
Reference:
http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
 
 
 
 
---------------------------------------------------------
Hint 2: Use Python to prompt for user input
 
Reference:
http://www.cyberciti.biz/faq/python-raw_input-examples/
 
 
 
 
---------------------------------------------------------
Hint 3: Use Python to search for a string in a list
 
Reference:
http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
 
 
 
 
 
Here is my solution:
-------------------
$ python
>>> f = open('access_log', "r")
>>> lines = f.readlines()
>>> ip = '141.101.81.187'
>>> for string in lines:
...     if ip in string:
...             print(string)

>>>
>>> exit()

 
 
 
 
Here is one student's solution - can you please explain each line of this code to me?
-------------------------------------------------------------------------------------


---------------------------Type This-----------------------------------
nano logread1.py
 
 
 
----------------------Paste this in the file----------------------------
#!/usr/bin/python
 
f = open('access_log')
 
strUsrinput = raw_input("Enter IP Address: ")
 
for line in iter(f):
    ip = line.split(" - ")[0]
    if ip == strUsrinput:
        print line
 
f.close()
-----------------------------------------------------------------------
 
 
 
 
-------------------------------
 
Working with another student after class we came up with another solution:

---------------------------Type This-----------------------------------
nano logread1.py
 
 
 
----------------------Paste this in the file---------------------------- 
#!/usr/bin/env python
 
 
# This line opens the log file
f=open('access_log',"r")
 
# This line takes each line in the log file and stores it as an element in the list
lines = f.readlines()
 
 
# This lines stores the IP that the user types as a var called userinput
userinput = raw_input("Enter the IP you want to search for: ")
 
 
 
# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
for ip in lines:
    if ip.find(userinput) != -1:
# Understanding Snort rules #
        print ip
------------------------------------------------------------------------ 
Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)


Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)


Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)


Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)


Field 5: Traffic Direction (->)


Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)


Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)

#################
Field 8: MSG - what is actually displayed on the analysts machine

#################
---------------------------Type This-----------------------------------
Let's look at 2 simple rules

----------------------------------------------------------------------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \

bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \

content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \

00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \

reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \

attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \

depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \

00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \

distance:0; within:1; content:”|0b|”; distance:1; within:1; \

byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
python -m SimpleHTTPServer
46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \

sid:2193; rev:1;)
Now you can just browse to the IP address of your Linux box on port 8000
----------------------------------------------------------------------------------

http://Linux-Box-IP:8000/


From your Linux machine ping your Windows machine

--------------------------Type This-----------------------------------
ping 192.168.150.1


cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr

Start wireshark and let's create some simple filters:

for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u
Filter 1:


ip.addr==192.168.150.1



Filter 2:
########################
# Playing with TCPDump #
ip.addr==192.168.150.1 && icmp
########################

Let's install tcpdump
---------------------------Type This-----------------------------------
Filter 3:
sudo apt install -y tcpdump
------------------------------------------------------------------------
ip.addr==192.168.150.1 && !(tcp.port==22)


Now stop your capture and restart it (make sure you keep the filter)

The easiest way to use tcpdump is to just directly write a pcap file
Run tcpdump to capture a .pcap file that we will use for the next exercise
 
---------------------------Type This-----------------------------------
Back to your Linux machine:

[ CTRL-C ] - to stop your ping
sudo tcpdump -ni eth0 -s0 -w quick.pcap
 
wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
----------------------------------------------------------------------
 
--open another command prompt--
gcc -o exploit oc192-dcom.c

---------------------------Type This-----------------------------------
./exploit

 
wget http://packetlife.net/media/library/12/tcpdump.pdf
./exploit -d 192.168.150.1 -t 0

 ----------------------------------------------------------------------- 
----------------------------------------------------------------------



Now go back to WireShark and stop the capture.
The basic structure of tcpdump output is:

[timestamp] [network protocol] [source IP].[source port] > [destination IP].[destination port]


###################

# Memory Analysis #
tcpdump -nn -r  suspicious-time.pcap | head
###################




To grab a count of the number of packets in a capture you can type:
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap | wc -l
------------------------------------------------------------------------



To select only the source IP with the port, which is the 3rd column you can type:
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap | cut -f 3 -d " " | head
------------------------------------------------------------------------



To filter for just TCP/IP traffic and exclude layer 2 traffic you can use 'tcp or udp'
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'tcp or udp' | cut -f 3 -d " " | head
------------------------------------------------------------------------



Here we are removing the source port by adding another cut that selects the first 4 columns separated by the "." character:
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'tcp or udp' | cut -f 3 -d " " | cut -f 1-4 -d "." | head
------------------------------------------------------------------------



Adding sort and uniq cleans up the data a lot more
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'tcp or udp' | cut -f 3 -d " " | cut -f 1-4 -d "." | sort | uniq | head
------------------------------------------------------------------------



If you wanted to see the destination instead of the sources you can change the first cut statement:
---------------------------Type This-----------------------------------
 -----------------------------------------------------------------------
tcpdump -nn -r  suspicious-time.pcap 'tcp or udp' | cut -f 5 -d " " | cut -f 1-4 -d "." | sort | uniq | head
------------------------------------------------------------------------



Here we can count just how many of these instances occurred
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'tcp or udp' | cut -f 5 -d " " | cut -f 1-4 -d "." | sort | uniq -c | sort -nr | head
------------------------------------------------------------------------



To examine destination ports, start by selecting only destination IPs and ports for new TCP sessions using a Tcpdump filter of 'tcp[13]=2' which selects only packets 
with the SYN flag set. That way you don’t accidentally give undue weight to  commonly used ports like 443 and 80, where there may be a large number of  packets over very few sessions as in the case of a HTTP or HTTPS download:
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'tcp[13]=2' | cut -f 5 -d " " | sort | uniq -c | sort -nr | head
------------------------------------------------------------------------


                            ######################

----------- ############### # Intro to Reversing # ############### -----------
Now that you've got the top destinations you can use cut to select only the port
                            ######################

Lab walk-through documents are in the zip file along with the executables that need to be reversed:
tcpdump -nn -r  suspicious-time.pcap 'tcp[13]=2' | cut -f 5 -d " " | cut -f 5 -d "." | sort | uniq -c | sort -nr | head
https://s3.amazonaws.com/infosecaddictsfiles/Lena151.zip




We can do the same with the source IP to see who the top talkers are:
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'tcp[13]=2' | cut -f 3 -d " " | cut -f 1-4 -d "." | sort | uniq -c | sort -nr | head
------------------------------------------------------------------------



Many network protocols store their data as plain text in the payload portion of a packet (SMTP, Syslog, POP3, FTP ASCII mode, HTTP, DNS, etc), and Tcpdump candisplay this text by using the WA switch:
---------------------------Type This-----------------------------------
tcpdump -Ann -r  suspicious-time.pcap 'dst port 25 or dst port 514 or dst port 110 or dst port 21 or dst port 53 or dst port 80' | head -15
------------------------------------------------------------------------



Looking at DNS traffic
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'port 53' | head -5
------------------------------------------------------------------------



Let's try to exclude some of the common TLDs and see what we come up with: 
---------------------------Type This----------------------------------- 
tcpdump -nn -r  suspicious-time.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)'
------------------------------------------------------------------------



Let's grab names instead of IP addresses:
---------------------------Type This-----------------------------------
tcpdump -nn -r  suspicious-time.pcap 'port 53' | grep -Ev '(com|net|org|gov|mil|arpa)' | cut -f 8 -d " " | grep -E '[a-z]'
------------------------------------------------------------------------




Looking at HTTP traffic
---------------------------Type This-----------------------------------
tcpdump -Ann -r  suspicious-time.pcap 'dst port 80' | head -15
------------------------------------------------------------------------



Removing GET/HEAD methods
---------------------------Type This-----------------------------------
tcpdump -Ann -r  suspicious-time.pcap 'dst port 80' | grep 'HTTP' | grep -Ev '(GET|HEAD)' | head
------------------------------------------------------------------------



Checking out the referer field
---------------------------Type This-----------------------------------
tcpdump -Ann -r  suspicious-time.pcap 'dst port 80' | grep -i 'referer' | head
------------------------------------------------------------------------



Checking out the user-agent field
---------------------------Type This-----------------------------------
tcpdump -Ann -r  suspicious-time.pcap 'dst port 80' | grep -Ei 'user-agent' | sort | uniq -c | sort -nr | head -15
------------------------------------------------------------------------



#############################
# PCAP Analysis with tshark #
#############################
---------------------------Type This-----------------------------------
sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
 

tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u


tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'


tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq


tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq

tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"


whois rapidshare.com.eyu32.ru

whois sploitme.com.cn


tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' 

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -R http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
-----------------------------------------------------------------------


######################################
# PCAP Analysis with forensicPCAP.py #
######################################
---------------------------Type This-----------------------------------
cd ~/Desktop/suspiciouspcap/

wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py

sudo pip install cmd2==0.7.9


python forensicPCAP.py suspicious-time.pcap
------------------------------------------------------------------------


---------------------------Type This-----------------------------------
ForPCAP >>> help
------------------------------------------------------------------------

Prints stats about PCAP
---------------------------Type This-----------------------------------
ForPCAP >>> stat
------------------------------------------------------------------------

Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
---------------------------Type This-----------------------------------
ForPCAP >>> dns

ForPCAP >>> show
------------------------------------------------------------------------

Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
---------------------------Type This-----------------------------------
ForPCAP >>> dstports

ForPCAP >>> show
---------------------------Type This-----------------------------------

Prints the number of ip source and store them.
---------------------------Type This-----------------------------------
ForPCAP >>> ipsrc
 
ForPCAP >>> show
------------------------------------------------------------------------

Prints the number of web's requests and store them
ForPCAP >>> web
 
ForPCAP >>> show
------------------------------------------------------------------------


Prints the number of mail's requests and store them
---------------------------Type This-----------------------------------
ForPCAP >>> mail
 
ForPCAP >>> show
------------------------------------------------------------------------


If you really want to look at some more in-depth analysis of this suspicious-time.pcap file you can download the following document:
https://s3.amazonaws.com/infosecaddictsfiles/Forensic+Challenge+2010_-_Challenge_2_-_Solution.doc








###################################
# Day 3: Intro to Memory Analysis #
###################################

---------------------------Type This-----------------------------------
cd  ~/Desktop/

sudo apt-get install -y foremost tcpxtract

wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem

git clone https://github.com/volatilityfoundation/volatility.git

cd volatility
sudo pip install distorm3
sudo python setup.py install
python vol.py -h
python vol.py pslist -f ~/Desktop/hn_forensics.vmem
python vol.py connscan -f ~/Desktop/hn_forensics.vmem
mkdir dump/
mkdir -p output/pdf/
python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/ 
				***Takes a few min***
strings 1752.dmp | grep "^http://" | sort | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
cd ~/Desktop/volatility/output/pdf/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf



cd ~/Desktop/volatility/output/pdf/
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw pdf/00601560.pdf
python pdf-parser.py --object 11 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js

cat malicious.js
-----------------------------------------------------------------------




*****Sorry - no time to cover javascript de-obfuscation today*****




---------------------------Type This-----------------------------------
cd ~/Desktop/volatility
mkdir files2/
python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
python vol.py hivescan -f ~/Desktop/hn_forensics.vmem									
python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon	
-----------------------------------------------------------------------

Public Pastes

Searching Techniques
C | 4 min ago | 2.98 KB
Sorting Techniques
C | 5 min ago | 5.12 KB
HEAP CODE
C | 6 min ago | 1.66 KB
⭐ Binance Account hack QK
JavaScript | 7 min ago | 0.17 KB
Matrix CODE
C | 8 min ago | 6.19 KB
⭐️ EARN $500 INSTANTLY KE
JavaScript | 8 min ago | 0.17 KB
Array CODE
C | 10 min ago | 5.34 KB
Linked List CODE
C | 12 min ago | 4.02 KB