SHOW:
|
|
- or go back to the newest paste.
1 | ############################## | |
2 | # Linux For InfoSec Pros # | |
3 | # By Joe McCray # | |
4 | ############################## | |
5 | ||
6 | ||
7 | ||
8 | ########## | |
9 | # VMWare # | |
10 | ########## | |
11 | - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player. | |
12 | ||
13 | - http://www.vmware.com/ap/products/player.html | |
14 | ||
15 | ||
16 | - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class. | |
17 | ||
18 | ||
19 | ########################## | |
20 | # Download the attack VM # | |
21 | ########################## | |
22 | https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip | |
23 | user: strategicsec | |
24 | pass: strategicsec | |
25 | ||
26 | - Here is a good set of slides for getting started with Linux: | |
27 | http://www.slideshare.net/olafusimichael/linux-training-24086319 | |
28 | ||
29 | ||
30 | ||
31 | ||
32 | - Log in to your Ubuntu host with the following credentials: | |
33 | user: strategicsec | |
34 | pass: strategicsec | |
35 | ||
36 | ||
37 | ||
38 | - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests. | |
39 | - You can download Putty from here: | |
40 | - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe | |
41 | ||
42 | ||
43 | - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host | |
44 | ||
45 | ||
46 | ||
47 | ######################## | |
48 | # Basic Linux Commands # | |
49 | ######################## | |
50 | ||
51 | pwd | |
52 | ||
53 | whereis pwd | |
54 | ||
55 | which pwd | |
56 | ||
57 | sudo find / -name pwd | |
58 | ||
59 | /bin/pwd | |
60 | ||
61 | mkdir test | |
62 | ||
63 | cd test | |
64 | ||
65 | touch one two three | |
66 | ||
67 | ls -l t (without pressing the Enter key, press the Tab key twice. What happens?) | |
68 | ||
69 | h (and again without pressing the Enter key, press the Tab key twice. What happens?) | |
70 | ||
71 | Press the 'Up arrow key' (What happens?) | |
72 | ||
73 | Press 'Ctrl-A' (What happens?) | |
74 | ||
75 | ls | |
76 | ||
77 | clear (What happens?) | |
78 | ||
79 | echo one > one | |
80 | ||
81 | cat one (What happens?) | |
82 | ||
83 | man cat (What happens?) | |
84 | q | |
85 | ||
86 | cat two | |
87 | ||
88 | cat one > two | |
89 | ||
90 | cat two | |
91 | ||
92 | cat one two > three | |
93 | ||
94 | cat three | |
95 | ||
96 | echo four >> three | |
97 | ||
98 | cat three (What happens?) | |
99 | ||
100 | wc -l three | |
101 | ||
102 | man wc | |
103 | q | |
104 | ||
105 | cat three | grep four | |
106 | ||
107 | cat three | grep one | |
108 | ||
109 | man grep | |
110 | q | |
111 | ||
112 | ||
113 | sudo grep eth[01] /etc/* (What happens?) | |
114 | ||
115 | cat /etc/iftab | |
116 | ||
117 | ||
118 | man ps | |
119 | q | |
120 | ||
121 | ps | |
122 | ||
123 | ps aux | |
124 | ||
125 | ps aux | less | |
126 | ||
127 | Press the 'Up arrow key' (What happens?) | |
128 | ||
129 | Press the 'Down arrow key' (What happens?) | |
130 | q | |
131 | ||
132 | top | |
133 | ||
134 | ############ | |
135 | # VIM Demo # | |
136 | ############ | |
137 | http://www.thegeekstuff.com/2009/03/8-essential-vim-editor-navigation-fundamentals/ | |
138 | ||
139 | -- DO VIM THIS TUTORIAL -- | |
140 | ||
141 | ||
142 | ||
143 | ######################################################################### | |
144 | # What kind of Linux am I on and how can I find out? # | |
145 | # Great reference: # | |
146 | # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ # | |
147 | ######################################################################### | |
148 | - What’s the distribution type? What version? | |
149 | ------------------------------------------- | |
150 | cat /etc/issue | |
151 | cat /etc/*-release | |
152 | cat /etc/lsb-release # Debian based | |
153 | cat /etc/redhat-release # Redhat based | |
154 | ||
155 | ||
156 | ||
157 | - What’s the kernel version? Is it 64-bit? | |
158 | ------------------------------------------- | |
159 | cat /proc/version | |
160 | uname -a | |
161 | uname -mrs | |
162 | rpm -q kernel | |
163 | dmesg | grep Linux | |
164 | ls /boot | grep vmlinuz- | |
165 | ||
166 | ||
167 | ||
168 | - What can be learnt from the environmental variables? | |
169 | ---------------------------------------------------- | |
170 | cat /etc/profile | |
171 | cat /etc/bashrc | |
172 | cat ~/.bash_profile | |
173 | cat ~/.bashrc | |
174 | cat ~/.bash_logout | |
175 | env | |
176 | set | |
177 | ||
178 | ||
179 | - What services are running? Which service has which user privilege? | |
180 | ------------------------------------------------------------------ | |
181 | ps aux | |
182 | ps -ef | |
183 | top | |
184 | cat /etc/services | |
185 | ||
186 | ||
187 | - Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check! | |
188 | --------------------------------------------------------------------------------------------------------------- | |
189 | ps aux | grep root | |
190 | ps -ef | grep root | |
191 | ||
192 | ||
193 | ||
194 | - What applications are installed? What version are they? Are they currently running? | |
195 | ------------------------------------------------------------------------------------ | |
196 | ls -alh /usr/bin/ | |
197 | ls -alh /sbin/ | |
198 | dpkg -l | |
199 | rpm -qa | |
200 | ls -alh /var/cache/apt/archivesO | |
201 | ls -alh /var/cache/yum/ | |
202 | ||
203 | ||
204 | - Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached? | |
205 | ------------------------------------------------------------------------------------ | |
206 | cat /etc/syslog.conf | |
207 | cat /etc/chttp.conf | |
208 | cat /etc/lighttpd.conf | |
209 | cat /etc/cups/cupsd.conf | |
210 | cat /etc/inetd.conf | |
211 | cat /etc/apache2/apache2.conf | |
212 | cat /etc/my.conf | |
213 | cat /etc/httpd/conf/httpd.conf | |
214 | cat /opt/lampp/etc/httpd.conf | |
215 | ls -aRl /etc/ | awk '$1 ~ /^.*r.*/ | |
216 | ||
217 | ||
218 | ||
219 | - What jobs are scheduled? | |
220 | ------------------------ | |
221 | crontab -l | |
222 | ls -alh /var/spool/cron | |
223 | ls -al /etc/ | grep cron | |
224 | ls -al /etc/cron* | |
225 | cat /etc/cron* | |
226 | cat /etc/at.allow | |
227 | cat /etc/at.deny | |
228 | cat /etc/cron.allow | |
229 | cat /etc/cron.deny | |
230 | cat /etc/crontab | |
231 | cat /etc/anacrontab | |
232 | cat /var/spool/cron/crontabs/root | |
233 | ||
234 | ||
235 | - Any plain text usernames and/or passwords? | |
236 | ------------------------------------------ | |
237 | grep -i user [filename] | |
238 | grep -i pass [filename] | |
239 | grep -C 5 "password" [filename] | |
240 | find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords | |
241 | ||
242 | ||
243 | - What NIC(s) does the system have? Is it connected to another network? | |
244 | --------------------------------------------------------------------- | |
245 | /sbin/ifconfig -a | |
246 | cat /etc/network/interfaces | |
247 | cat /etc/sysconfig/network | |
248 | ||
249 | ||
250 | - What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway? | |
251 | ------------------------------------------------------------------------------------------------------------------------ | |
252 | cat /etc/resolv.conf | |
253 | cat /etc/sysconfig/network | |
254 | cat /etc/networks | |
255 | iptables -L | |
256 | hostname | |
257 | dnsdomainname | |
258 | ||
259 | - What other users & hosts are communicating with the system? | |
260 | ----------------------------------------------------------- | |
261 | lsof -i | |
262 | lsof -i :80 | |
263 | grep 80 /etc/services | |
264 | netstat -antup | |
265 | netstat -antpx | |
266 | netstat -tulpn | |
267 | chkconfig --list | |
268 | chkconfig --list | grep 3:on | |
269 | last | |
270 | w | |
271 | ||
272 | ||
273 | ||
274 | - Whats cached? IP and/or MAC addresses | |
275 | ------------------------------------- | |
276 | arp -e | |
277 | route | |
278 | /sbin/route -nee | |
279 | ||
280 | ||
281 | - Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what? | |
282 | ------------------------------------------------------------------------------------------ | |
283 | id | |
284 | who | |
285 | w | |
286 | last | |
287 | cat /etc/passwd | cut -d: # List of users | |
288 | grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users | |
289 | awk -F: '($3 == "0") {print}' /etc/passwd # List of super users | |
290 | cat /etc/sudoers | |
291 | sudo -l | |
292 | ||
293 | ||
294 | ||
295 | - What sensitive files can be found? | |
296 | ---------------------------------- | |
297 | cat /etc/passwd | |
298 | cat /etc/group | |
299 | cat /etc/shadow | |
300 | ls -alh /var/mail/ | |
301 | ||
302 | ||
303 | ||
304 | - Anything “interesting” in the home directorie(s)? If it’s possible to access | |
305 | ---------------------------------------------------------------------------- | |
306 | ls -ahlR /root/ | |
307 | ls -ahlR /home/ | |
308 | ||
309 | ||
310 | - Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords | |
311 | --------------------------------------------------------------------------------------------------------------------------- | |
312 | cat /var/apache2/config.inc | |
313 | cat /var/lib/mysql/mysql/user.MYD | |
314 | cat /root/anaconda-ks.cfg | |
315 | ||
316 | ||
317 | - What has the user being doing? Is there any password in plain text? What have they been edting? | |
318 | ----------------------------------------------------------------------------------------------- | |
319 | cat ~/.bash_history | |
320 | cat ~/.nano_history | |
321 | cat ~/.atftp_history | |
322 | cat ~/.mysql_history | |
323 | cat ~/.php_history | |
324 | ||
325 | ||
326 | ||
327 | - What user information can be found? | |
328 | ----------------------------------- | |
329 | cat ~/.bashrc | |
330 | cat ~/.profile | |
331 | cat /var/mail/root | |
332 | cat /var/spool/mail/root | |
333 | ||
334 | ||
335 | - Can private-key information be found? | |
336 | ------------------------------------- | |
337 | cat ~/.ssh/authorized_keys | |
338 | cat ~/.ssh/identity.pub | |
339 | cat ~/.ssh/identity | |
340 | cat ~/.ssh/id_rsa.pub | |
341 | cat ~/.ssh/id_rsa | |
342 | cat ~/.ssh/id_dsa.pub | |
343 | cat ~/.ssh/id_dsa | |
344 | cat /etc/ssh/ssh_config | |
345 | cat /etc/ssh/sshd_config | |
346 | cat /etc/ssh/ssh_host_dsa_key.pub | |
347 | cat /etc/ssh/ssh_host_dsa_key | |
348 | cat /etc/ssh/ssh_host_rsa_key.pub | |
349 | cat /etc/ssh/ssh_host_rsa_key | |
350 | cat /etc/ssh/ssh_host_key.pub | |
351 | cat /etc/ssh/ssh_host_key | |
352 | ||
353 | ||
354 | - Any settings/files (hidden) on website? Any settings file with database information? | |
355 | ------------------------------------------------------------------------------------ | |
356 | ls -alhR /var/www/ | |
357 | ls -alhR /srv/www/htdocs/ | |
358 | ls -alhR /usr/local/www/apache22/data/ | |
359 | ls -alhR /opt/lampp/htdocs/ | |
360 | ls -alhR /var/www/html/ | |
361 | ||
362 | ||
363 | - Is there anything in the log file(s) (Could help with “Local File Includes”!) | |
364 | ----------------------------------------------------------------------------- | |
365 | cat /etc/httpd/logs/access_log | |
366 | cat /etc/httpd/logs/access.log | |
367 | cat /etc/httpd/logs/error_log | |
368 | cat /etc/httpd/logs/error.log | |
369 | cat /var/log/apache2/access_log | |
370 | cat /var/log/apache2/access.log | |
371 | cat /var/log/apache2/error_log | |
372 | cat /var/log/apache2/error.log | |
373 | cat /var/log/apache/access_log | |
374 | cat /var/log/apache/access.log | |
375 | cat /var/log/auth.log | |
376 | cat /var/log/chttp.log | |
377 | cat /var/log/cups/error_log | |
378 | cat /var/log/dpkg.log | |
379 | cat /var/log/faillog | |
380 | cat /var/log/httpd/access_log | |
381 | cat /var/log/httpd/access.log | |
382 | cat /var/log/httpd/error_log | |
383 | cat /var/log/httpd/error.log | |
384 | cat /var/log/lastlog | |
385 | cat /var/log/lighttpd/access.log | |
386 | cat /var/log/lighttpd/error.log | |
387 | cat /var/log/lighttpd/lighttpd.access.log | |
388 | cat /var/log/lighttpd/lighttpd.error.log | |
389 | cat /var/log/messages | |
390 | cat /var/log/secure | |
391 | cat /var/log/syslog | |
392 | cat /var/log/wtmp | |
393 | cat /var/log/xferlog | |
394 | cat /var/log/yum.log | |
395 | cat /var/run/utmp | |
396 | cat /var/webmin/miniserv.log | |
397 | cat /var/www/logs/access_log | |
398 | cat /var/www/logs/access.log | |
399 | ls -alh /var/lib/dhcp3/ | |
400 | ls -alh /var/log/postgresql/ | |
401 | ls -alh /var/log/proftpd/ | |
402 | ls -alh /var/log/samba/ | |
403 | ||
404 | - Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp | |
405 | ||
406 | ||
407 | ||
408 | ||
409 | ################# | |
410 | # IPTables Demo # | |
411 | ################# | |
412 | - Reference: | |
413 | http://www.thegeekstuff.com/2011/06/iptables-rules-examples/ | |
414 | ||
415 | - Delete Existing Rules | |
416 | --------------------- | |
417 | sudo /sbin/iptables -F | |
418 | (or) | |
419 | sudo /sbin/iptables --flush | |
420 | ||
421 | ||
422 | ||
423 | - Set Default Chain Policies | |
424 | -------------------------- | |
425 | iptables -P INPUT DROP | |
426 | iptables -P FORWARD DROP | |
427 | iptables -P OUTPUT DROP | |
428 | ||
429 | ||
430 | ||
431 | - Delete Existing Rules | |
432 | --------------------- | |
433 | sudo /sbin/iptables -F | |
434 | (or) | |
435 | sudo /sbin/iptables --flush | |
436 | ||
437 | ||
438 | - Block a Specific ip-address | |
439 | --------------------------- | |
440 | BLOCK_THIS_IP="1.2.3.4" | |
441 | iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP | |
442 | ||
443 | ||
444 | iptables -A INPUT -i eth0 -s "$BLOCK_THIS_IP" -j DROP | |
445 | iptables -A INPUT -i eth0 -p tcp -s "$BLOCK_THIS_IP" -j DROP | |
446 | ||
447 | ||
448 | - Allow ALL Incoming SSH | |
449 | ---------------------- | |
450 | iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
451 | iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
452 | ||
453 | ||
454 | - Allow Incoming SSH only from a Sepcific Network | |
455 | ----------------------------------------------- | |
456 | iptables -A INPUT -i eth0 -p tcp -s 192.168.100.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
457 | iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
458 | ||
459 | ||
460 | - Allow Incoming HTTP and HTTPS | |
461 | ----------------------------- | |
462 | iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT | |
463 | iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT | |
464 | ||
465 | ||
466 | iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
467 | iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT | |
468 | ||
469 | ||
470 | ||
471 | - Combine Multiple Rules Together using MultiPorts | |
472 | ------------------------------------------------ | |
473 | iptables -A INPUT -i eth0 -p tcp -m multiport --dports 22,80,443 -m state --state NEW,ESTABLISHED -j ACCEPT | |
474 | iptables -A OUTPUT -o eth0 -p tcp -m multiport --sports 22,80,443 -m state --state ESTABLISHED -j ACCEPT | |
475 | ||
476 | ||
477 | - Allow Outgoing SSH | |
478 | ------------------ | |
479 | iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT | |
480 | iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT | |
481 | ||
482 | ||
483 | ||
484 | ||
485 | ||
486 | ||
487 | ||
488 | ||
489 | ||
490 | #################### | |
491 | # MD5 Hashing Demo # | |
492 | #################### | |
493 | mkdir ~/demo | |
494 | cd ~/demo | |
495 | ||
496 | ||
497 | ||
498 | mkdir hashdemo | |
499 | cd hashdemo | |
500 | echo test > test.txt | |
501 | cat test.txt | |
502 | md5sum test.txt | |
503 | echo hello >> test.txt | |
504 | cat test.txt | |
505 | md5sum test.txt | |
506 | cd .. | |
507 | ||
508 | ||
509 | ||
510 | Reference: | |
511 | https://www.howtoforge.com/tutorial/linux-commandline-encryption-tools/ | |
512 | ||
513 | ||
514 | ################################# | |
515 | # Symmetric Key Encryption Demo # | |
516 | ################################# | |
517 | mkdir gpgdemo | |
518 | cd gpgdemo | |
519 | echo test > test.txt | |
520 | cat test.txt | |
521 | gpg -c test.txt | |
522 | password | |
523 | password | |
524 | ls | grep test | |
525 | cat test.txt | |
526 | cat test.txt.gpg | |
527 | rm -rf test.txt | |
528 | ls | grep test | |
529 | gpg -o output.txt test.txt.gpg | |
530 | cat output.txt | |
531 | ||
532 | ||
533 | ######################################################################################################################### | |
534 | # Asymmetric Key Encryption Demo # | |
535 | # # | |
536 | # Configure random number generator # | |
537 | # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny # | |
538 | ######################################################################################################################### | |
539 | ||
540 | sudo apt-get install rng-tools | |
541 | strategicsec | |
542 | ||
543 | /etc/init.d/rng-tools start | |
544 | ||
545 | sudo rngd -r /dev/urandom | |
546 | strategicsec | |
547 | ||
548 | ||
549 | echo hello > file1.txt | |
550 | echo goodbye > file2.txt | |
551 | echo green > file3.txt | |
552 | echo blue > file4.txt | |
553 | ||
554 | tar czf files.tar.gz *.txt | |
555 | ||
556 | gpg --gen-key | |
557 | 1 | |
558 | 1024 | |
559 | 0 | |
560 | y | |
561 | John Doe | |
562 | john@doe.com | |
563 | --blank comment-- | |
564 | O | |
565 | password | |
566 | password | |
567 | ||
568 | ||
569 | ||
570 | gpg --armor --output file-enc-pubkey.txt --export 'John Doe' | |
571 | ||
572 | cat file-enc-pubkey.txt | |
573 | ||
574 | gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe' | |
575 | ||
576 | cat file-enc-privkey.asc | |
577 | ||
578 | gpg --encrypt --recipient 'John Doe' files.tar.gz | |
579 | ||
580 | rm -rf files.tar.gz *.txt | |
581 | ||
582 | ls | |
583 | ||
584 | tar -zxvf files.tar.gz.gpg | |
585 | ||
586 | gpg --output output.tar.gz --decrypt files.tar.gz.gpg | |
587 | password | |
588 | ||
589 | tar -zxvf output.tar.gz | |
590 | ||
591 | ls | |
592 | ||
593 | Reference: | |
594 | http://linoxide.com/security/gpg-comand-linux-how-to-encrypt-and-decrypt-file/ | |
595 | ||
596 | ||
597 | ||
598 | ############################ | |
599 | # Encryption using OpenSSL # | |
600 | ############################ | |
601 | openssl genrsa -out private_key.pem 1024 | |
602 | openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout | |
603 | ||
604 | ||
605 | echo hello > encrypt.txt | |
606 | openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat | |
607 | ||
608 | cat encrypt.dat | |
609 | ||
610 | rm -rf encrypt.txt | |
611 | ||
612 | ls | |
613 | ||
614 | openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt | |
615 | ||
616 | cat decrypt.txt | |
617 | ||
618 | ||
619 | ||
620 | ||
621 | ############################################## | |
622 | # Log Analysis with Linux command-line tools # | |
623 | ############################################## | |
624 | - The following command line executables are found in the Mac as well as most Linux Distributions. | |
625 | ||
626 | cat – prints the content of a file in the terminal window | |
627 | grep – searches and filters based on patterns | |
628 | awk – can sort each row into fields and display only what is needed | |
629 | sed – performs find and replace functions | |
630 | sort – arranges output in an order | |
631 | uniq – compares adjacent lines and can report, filter or provide a count of duplicates | |
632 | ||
633 | ||
634 | ||
635 | ############### | |
636 | # Apache Logs # | |
637 | ############### | |
638 | ||
639 | Reference: | |
640 | http://www.the-art-of-web.com/system/logs/ | |
641 | ||
642 | wget https://s3.amazonaws.com/SecureNinja/Python/access_log | |
643 | ||
644 | ||
645 | - You want to list all user agents ordered by the number of times they appear (descending order): | |
646 | ||
647 | awk -F\" '{print $6}' access_log | sort | uniq -c | sort -fr | |
648 | ||
649 | ||
650 | ||
651 | - Using the default separator which is any white-space (spaces or tabs) we get the following: | |
652 | ||
653 | awk '{print $1}' access_log # ip address (%h) | |
654 | awk '{print $2}' access_log # RFC 1413 identity (%l) | |
655 | awk '{print $3}' access_log # userid (%u) | |
656 | awk '{print $4,5}' access_log # date/time (%t) | |
657 | awk '{print $9}' access_log # status code (%>s) | |
658 | awk '{print $10}' access_log # size (%b) | |
659 | ||
660 | - You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following: | |
661 | ||
662 | awk -F\" '{print $2}' access_log # request line (%r) | |
663 | awk -F\" '{print $4}' access_log # referer | |
664 | awk -F\" '{print $6}' access_log # user agent | |
665 | ||
666 | ||
667 | awk -F\" '{print $6}' access_log \ | |
668 | | sed 's/(\([^;]\+; [^;]\+\)[^)]*)/(\1)/' \ | |
669 | | sort | uniq -c | sort -fr | |
670 | ||
671 | ||
672 | - The next step is to start filtering the output so you can narrow down on a certain page or referer. Would you like to know which pages Google has been requesting from your site? | |
673 | ||
674 | awk -F\" '($6 ~ /Googlebot/){print $2}' access_log | awk '{print $2}' | |
675 | Or who's been looking at your guestbook? | |
676 | ||
677 | awk -F\" '($2 ~ /guestbook\.html/){print $6}' access_log | |
678 | ||
679 | ||
680 | Reference: | |
681 | https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/ | |
682 | ||
683 | # top 20 URLs from the last 5000 hits | |
684 | tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20 | |
685 | tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20 | |
686 | ||
687 | # top 20 URLS excluding POST data from the last 5000 hits | |
688 | tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20 | |
689 | tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20 | |
690 | ||
691 | # top 20 IPs from the last 5000 hits | |
692 | tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20 | |
693 | tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20 | |
694 | ||
695 | # top 20 URLs requested from a certain ip from the last 5000 hits | |
696 | IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20 | |
697 | IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20 | |
698 | ||
699 | # top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits | |
700 | IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20 | |
701 | IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20 | |
702 | ||
703 | # top 20 referrers from the last 5000 hits | |
704 | tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20 | |
705 | tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20 | |
706 | ||
707 | # top 20 user agents from the last 5000 hits | |
708 | tail -5000 ./access_log | cut -d\ -f12- | sort | uniq -c | sort -rn | head -20 | |
709 | ||
710 | # sum of data (in MB) transferred in the last 5000 hits | |
711 | tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}' | |
712 | ||
713 | ||
714 | ############## | |
715 | # Cisco Logs # | |
716 | ############## | |
717 | ||
718 | wget https://s3.amazonaws.com/StrategicSec-Files/LogAnalysis/cisco.log | |
719 | ||
720 | ||
721 | AWK Basics | |
722 | ---------- | |
723 | - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity. | |
724 | ||
725 | cat cisco.log | awk '{print $5}' | tail -n 4 | |
726 | ||
727 | ||
728 | ||
729 | ||
730 | - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order. | |
731 | ||
732 | cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn | |
733 | ||
734 | ||
735 | ||
736 | ||
737 | - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”. | |
738 | ||
739 | cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn | |
740 | ||
741 | ||
742 | ||
743 | ||
744 | ||
745 | - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep. | |
746 | ||
747 | cat cisco.log | grep %LINEPROTO-5-UPDOWN: | |
748 | ||
749 | cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn | |
750 | ||
751 | cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn | |
752 | ||
753 | cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn | |
754 | ||
755 | ||
756 | ||
757 | ########################### | |
758 | # Target IP Determination # | |
759 | ########################### | |
760 | - This portion starts the actual workshop content | |
761 | - Zone Transfer fails on most domains, but here is an example of one that works: | |
762 | dig axfr heartinternet.co.uk @ns.heartinternet.co.uk | |
763 | ||
764 | ||
765 | - Usually you will need to do a DNS brute-force with something like blindcrawl or fierce | |
766 | perl blindcrawl.pl -d motorola.com | |
767 | Look up the IP addresses at: | |
768 | http://www.networksolutions.com/whois/index.jsp | |
769 | ||
770 | cd ~/toolz/fierce2 | |
771 | sudo apt-get install -y cpanminus cpan-listchanges cpanoutdated libappconfig-perl libyaml-appconfig-perl libnetaddr-ip-perl libnet-cidr-perl vim | |
772 | strategicsec | |
773 | wget http://search.cpan.org/CPAN/authors/id/A/AB/ABW/Template-Toolkit-2.14.tar.gz | |
774 | tar -zxvf Template-Toolkit-2.14.tar.gz | |
775 | cd Template-Toolkit-2.14/ | |
776 | perl Makefile.PL | |
777 | y | |
778 | y | |
779 | n | |
780 | y | |
781 | sudo make install | |
782 | ||
783 | sudo bash install.sh | |
784 | ||
785 | ./fierce | |
786 | ||
787 | ./fierce -dns motorola.com | |
788 | ||
789 | cd ~/toolz/ | |
790 | ||
791 | ||
792 | ||
793 | ||
794 | - Here we do a forward lookup against an entire IP range. Basically take every IP in the range and see what it's hostname is | |
795 | cd ~/toolz/ | |
796 | ./ipcrawl 148.87.1.1 148.87.1.254 (DNS forward lookup against an IP range) | |
797 | ||
798 | ||
799 | sudo nmap -sL 148.87.1.0-255 | |
800 | sudo nmap -sL 148.87.1.0-255 | grep oracle | |
801 | ||
802 | ||
803 | ||
804 | ||
805 | ||
806 | ||
807 | ########################### | |
808 | # Load Balancer Detection # | |
809 | ########################### | |
810 | ||
811 | - Here are some options to use for identifying load balancers: | |
812 | - http://toolbar.netcraft.com/site_report/ | |
813 | - Firefox LiveHTTP Headers | |
814 | ||
815 | ||
816 | - Here are some command-line options to use for identifying load balancers: | |
817 | ||
818 | dig google.com | |
819 | ||
820 | cd ~/toolz | |
821 | ./lbd-0.1.sh google.com | |
822 | ||
823 | ||
824 | halberd microsoft.com | |
825 | halberd motorola.com | |
826 | halberd oracle.com | |
827 | ||
828 | ||
829 | ||
830 | ||
831 | ||
832 | ###################################### | |
833 | # Web Application Firewall Detection # | |
834 | ###################################### | |
835 | ||
836 | cd ~/toolz/wafw00f | |
837 | python wafw00f.py http://www.oracle.com | |
838 | python wafw00f.py http://www.strategicsec.com | |
839 | ||
840 | ||
841 | cd ~/toolz/ | |
842 | sudo nmap -p 80 --script http-waf-detect.nse oracle.com | |
843 | ||
844 | sudo nmap -p 80 --script http-waf-detect.nse healthcare.gov | |
845 | ||
846 | ||
847 | ######################### | |
848 | # Playing with Nmap NSE # | |
849 | ######################### | |
850 | ||
851 | nmap -Pn -p80 --script ip-geolocation-* strategicsec.com | |
852 | ||
853 | nmap -p80 --script dns-brute strategicsec.com | |
854 | ||
855 | nmap --script http-robtex-reverse-ip secore.info | |
856 | ||
857 | nmap -Pn -p80 --script=http-headers strategicsec.com | |
858 | ||
859 | ||
860 | ls /usr/share/nmap/scripts | grep http | |
861 | nmap -Pn -p80 --script=http-* strategicsec.com | |
862 | ||
863 | sudo nmap -Pn -n --open -p21 --script=banner,ftp-anon,ftp-bounce,ftp-proftpd-backdoor,ftp-vsftpd-backdoor 148.87.1.0/24 | |
864 | ||
865 | sudo nmap -Pn -n --open -p22 --script=sshv1,ssh2-enum-algos 148.87.1.0/24 | |
866 | ||
867 | sudo nmap -Pn -n -sU --open -p53 --script=dns-blacklist,dns-cache-snoop,dns-nsec-enum,dns-nsid,dns-random-srcport,dns-random-txid,dns-recursion,dns-service-discovery,dns-update,dns-zeustracker,dns-zone-transfer 148.87.1.0/24 | |
868 | ||
869 | sudo nmap -Pn -n --open -p111 --script=nfs-ls,nfs-showmount,nfs-statfs,rpcinfo 148.87.1.0/24 | |
870 | ||
871 | sudo nmap -Pn -n --open -p445 --script=msrpc-enum,smb-enum-domains,smb-enum-groups,smb-enum-processes,smb-enum-sessions,smb-enum-shares,smb-enum-users,smb-mbenum,smb-os-discovery,smb-security-mode,smb-server-stats,smb-system-info,smbv2-enabled,stuxnet-detect 148.87.1.0/24 | |
872 | ||
873 | sudo nmap -Pn -n --open -p1433 --script=ms-sql-dump-hashes,ms-sql-empty-password,ms-sql-info 148.87.1.0/24 | |
874 | ||
875 | sudo nmap -Pn -n --open -p1521 --script=oracle-sid-brute --script oracle-enum-users --script-args oracle-enum-users.sid=ORCL,userdb=orausers.txt 148.87.1.0/24 | |
876 | ||
877 | sudo nmap -Pn -n --open -p3306 --script=mysql-databases,mysql-empty-password,mysql-info,mysql-users,mysql-variables 148.87.1.0/24 | |
878 | ||
879 | sudo nmap -Pn -n --open -p3389 --script=rdp-vuln-ms12-020,rdp-enum-encryption 148.87.1.0/24 | |
880 | ||
881 | sudo nmap -Pn -n --open -p5900 --script=realvnc-auth-bypass,vnc-info 148.87.1.0/24 | |
882 | ||
883 | sudo nmap -Pn -n --open -p6000-6005 --script=x11-access 148.87.1.0/24 | |
884 | ||
885 | sudo nmap -Pn -n --open -p27017 --script=mongodb-databases,mongodb-info 148.87.1.0/24 | |
886 | ||
887 | ############ | |
888 | # Nmap NSE # | |
889 | ############ | |
890 | ||
891 | - Reference for this tutorial is: | |
892 | https://thesprawl.org/research/writing-nse-scripts-for-vulnerability-scanning/ | |
893 | ||
894 | ---------------------------------------------------------------------- | |
895 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
896 | ||
897 | -- The Head Section -- | |
898 | -- The Rule Section -- | |
899 | portrule = function(host, port) | |
900 | return port.protocol == "tcp" | |
901 | and port.number == 80 | |
902 | and port.state == "open" | |
903 | end | |
904 | ||
905 | -- The Action Section -- | |
906 | action = function(host, port) | |
907 | return "Linux for InfoSec Professionals!" | |
908 | end | |
909 | ---------------------------------------------------------------------- | |
910 | ||
911 | - Ok, now that we've made that change let's run the script | |
912 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
913 | ||
914 | ||
915 | ||
916 | ||
917 | ||
918 | ||
919 | ---------------------------------------------------------------------- | |
920 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
921 | ||
922 | -- The Head Section -- | |
923 | local shortport = require "shortport" | |
924 | ||
925 | -- The Rule Section -- | |
926 | portrule = shortport.http | |
927 | ||
928 | ||
929 | -- The Action Section -- | |
930 | action = function(host, port) | |
931 | return "Linux for InfoSec Professionals!" | |
932 | end | |
933 | ---------------------------------------------------------------------- | |
934 | ||
935 | - Ok, now that we've made that change let's run the script | |
936 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
937 | ||
938 | ||
939 | ||
940 | ||
941 | ||
942 | ||
943 | ||
944 | ---------------------------------------------------------------------- | |
945 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
946 | ||
947 | -- The Head Section -- | |
948 | local shortport = require "shortport" | |
949 | local http = require "http" | |
950 | ||
951 | -- The Rule Section -- | |
952 | portrule = shortport.http | |
953 | ||
954 | -- The Action Section -- | |
955 | action = function(host, port) | |
956 | ||
957 | local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/" | |
958 | local response = http.get(host, port, uri) | |
959 | return response.status | |
960 | ||
961 | end | |
962 | ---------------------------------------------------------------------- | |
963 | ||
964 | - Ok, now that we've made that change let's run the script | |
965 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
966 | ||
967 | ||
968 | ||
969 | ||
970 | ---------------------------------------------------------------------- | |
971 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
972 | ||
973 | -- The Head Section -- | |
974 | local shortport = require "shortport" | |
975 | local http = require "http" | |
976 | ||
977 | -- The Rule Section -- | |
978 | portrule = shortport.http | |
979 | ||
980 | -- The Action Section -- | |
981 | action = function(host, port) | |
982 | ||
983 | local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/" | |
984 | local response = http.get(host, port, uri) | |
985 | ||
986 | if ( response.status == 200 ) then | |
987 | return response.body | |
988 | end | |
989 | ||
990 | end | |
991 | ---------------------------------------------------------------------- | |
992 | ||
993 | - Ok, now that we've made that change let's run the script | |
994 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
995 | ||
996 | ||
997 | ||
998 | ||
999 | ||
1000 | ||
1001 | ||
1002 | ||
1003 | ||
1004 | ---------------------------------------------------------------------- | |
1005 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
1006 | ||
1007 | -- The Head Section -- | |
1008 | local shortport = require "shortport" | |
1009 | local http = require "http" | |
1010 | local string = require "string" | |
1011 | ||
1012 | -- The Rule Section -- | |
1013 | portrule = shortport.http | |
1014 | ||
1015 | -- The Action Section -- | |
1016 | action = function(host, port) | |
1017 | ||
1018 | local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/" | |
1019 | local response = http.get(host, port, uri) | |
1020 | ||
1021 | if ( response.status == 200 ) then | |
1022 | local title = string.match(response.body, "Pentest Candidate Program") | |
1023 | return title | |
1024 | end | |
1025 | ||
1026 | end | |
1027 | ---------------------------------------------------------------------- | |
1028 | ||
1029 | - Ok, now that we've made that change let's run the script | |
1030 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
1031 | ||
1032 | ||
1033 | ||
1034 | ||
1035 | ||
1036 | ||
1037 | ||
1038 | ---------------------------------------------------------------------- | |
1039 | sudo vi /usr/share/nmap/scripts/intro-nse.nse | |
1040 | ||
1041 | -- The Head Section -- | |
1042 | local shortport = require "shortport" | |
1043 | local http = require "http" | |
1044 | local string = require "string" | |
1045 | ||
1046 | -- The Rule Section -- | |
1047 | portrule = shortport.http | |
1048 | ||
1049 | -- The Action Section -- | |
1050 | action = function(host, port) | |
1051 | ||
1052 | local uri = "/blog/2016/4/2/meterpreter-new-windows-powershell-extension/" | |
1053 | local response = http.get(host, port, uri) | |
1054 | ||
1055 | if ( response.status == 200 ) then | |
1056 | local title = string.match(response.body, "Pentest Candidate Program") | |
1057 | ||
1058 | if (title) then | |
1059 | return "Vulnerable" | |
1060 | else | |
1061 | return "Not Vulnerable" | |
1062 | end | |
1063 | end | |
1064 | end | |
1065 | ||
1066 | ---------------------------------------------------------------------- | |
1067 | ||
1068 | - Ok, now that we've made that change let's run the script | |
1069 | sudo nmap --script=/usr/share/nmap/scripts/intro-nse.nse darkoperator.com -p 22,80,443 | |
1070 | ||
1071 | ||
1072 | ||
1073 | ||
1074 | ||
1075 | ||
1076 | ||
1077 | ||
1078 | ||
1079 | ############################# | |
1080 | # Linux For InfoSe Homework # | |
1081 | ############################# | |
1082 | In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website. | |
1083 | ||
1084 | ||
1085 | Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx) | |
1086 | ||
1087 | ||
1088 | ||
1089 | ||
1090 | ############################## | |
1091 | # Linux For InfoSe Challenge # | |
1092 | ############################## | |
1093 | ||
1094 | In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/b5SxBRf6). | |
1095 | ||
1096 | Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx) | |
1097 | ||
1098 | ||
1099 | ||
1100 | ||
1101 | IMPORTANT NOTE: | |
1102 | Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and kasheia-at-strategicsec-.-com) by Sunday October 16th at midnight EST. |