Advertisement
joemccray

CS Network Assessment

Feb 27th, 2019
1,585
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.09 KB | None | 0 0
  1. ###################################
  2. ----------- ############### # Day 1: External Network Mapping ################ -----------
  3. ###################################
  4.  
  5.  
  6. ###################################
  7. # Setting up your virtual machine #
  8. # Note: run as root user #
  9. ###################################
  10.  
  11.  
  12. Here is where we will setup all of the required dependencies for the tools we plan to install
  13. ---------------------------Type this as root--------------------------
  14. apt update
  15. apt-get install -y libpcre3-dbg libpcre3-dev autoconf automake libtool libpcap-dev libnet1-dev libyaml-dev libjansson4 libcap-ng-dev libmagic-dev libjansson-dev zlib1g-dev libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev cmake make gcc g++ flex bison libpcap-dev libssl-dev unzip python-dev swig zlib1g-dev sendmail sendmail-bin prads tcpflow python-scapy python-yara tshark whois jq nmap python-setuptools
  16.  
  17.  
  18.  
  19.  
  20. Some tools to install:
  21. ---------------------------Type this as a regular user----------------------------------
  22. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/cgi-scanners/Webr00t.pl
  23. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/blindcrawl.pl
  24. wget --no-check-certificate https://dl.packetstormsecurity.net/UNIX/scanners/propecia.c
  25. wget --no-check-certificate https://raw.githubusercontent.com/craig/ge.mine.nu/master/lbd/lbd.sh
  26. gcc propecia.c -o propecia
  27. sudo cp propecia /bin
  28. wget --no-check-certificate https://raw.githubusercontent.com/BenDrysdale/ipcrawl/master/ipcrawl.c
  29. gcc ipcrawl.c -o ipcrawl
  30. chmod 777 ipcrawl
  31. sudo cp ipcrawl /bin
  32.  
  33. git clone https://github.com/jmbr/halberd.git
  34. cd halberd/
  35. sudo python setup.py install
  36.  
  37. git clone https://github.com/EnableSecurity/wafw00f.git
  38. cd wafw00f/
  39. sudo python setup.py install
  40. -----------------------------------------------------------------------
  41.  
  42.  
  43.  
  44.  
  45.  
  46. ###########################
  47. # Target IP Determination #
  48. ###########################
  49. ---------------------------Type this as a regular user----------------------------------
  50. cd ~/
  51.  
  52. perl blindcrawl.pl -d cellularsales.com
  53. -----------------------------------------------------------------------
  54.  
  55.  
  56. -- Take each IP address and look ip up here:
  57. http://whois.domaintools.com/
  58.  
  59.  
  60.  
  61. Host discovery of the IP space:
  62. ---------------------------Type This-----------------------------------
  63.  
  64. ./ipcrawl 74.221.176.0 74.221.191.255 | grep cell
  65.  
  66.  
  67. sudo nmap -sL 74.221.176.0/20 | grep cell
  68.  
  69. ----------------------------------------------------------------------
  70.  
  71.  
  72.  
  73.  
  74. ###########################
  75. # Load Balancer Detection #
  76. ###########################
  77.  
  78. Here are some options to use for identifying load balancers:
  79. - http://toolbar.netcraft.com/site_report
  80. - https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/
  81.  
  82.  
  83. Here are some command-line options to use for identifying load balancers:
  84. ---------------------------Type This-----------------------------------
  85. dig cellularsales.com
  86.  
  87.  
  88. ./lbd.sh cellularsales.com
  89.  
  90.  
  91. halberd cellularsales.com
  92.  
  93. -----------------------------------------------------------------------
  94.  
  95.  
  96. ######################################
  97. # Web Application Firewall Detection #
  98. ######################################
  99. ---------------------------Type This-----------------------------------
  100. wafw00f.py http://www.cellularsales.com
  101.  
  102. sudo nmap -p 80 --script http-waf-detect.nse cellularsales.com
  103.  
  104.  
  105. sudo nmap -p 80 --script http-waf-detect.nse cellularsales.com
  106.  
  107. -----------------------------------------------------------------------
  108.  
  109.  
  110. ########################
  111. # Scanning Methodology #
  112. ########################
  113.  
  114. - Ping Sweep
  115. What's alive?
  116. ------------
  117.  
  118. ---------------------------Type This-----------------------------------
  119. sudo nmap -sP 74.221.180.*
  120.  
  121. -----------------------------------------------------------------------
  122.  
  123.  
  124.  
  125. -if -SP yields no results try:
  126. ---------------------------Type This-----------------------------------
  127. sudo nmap -sL 74.221.180.*
  128.  
  129. -----------------------------------------------------------------------
  130.  
  131.  
  132.  
  133. -Look for hostnames:
  134. ---------------------------Type This-----------------------------------
  135. sudo nmap -sL 157.166.226.* | grep com
  136.  
  137. -----------------------------------------------------------------------
  138.  
  139.  
  140.  
  141. - Port Scan
  142. What's where?
  143. ------------
  144. ---------------------------Type This-----------------------------------
  145. sudo nmap -sS 74.221.180.*
  146.  
  147. -----------------------------------------------------------------------
  148.  
  149.  
  150.  
  151. - Bannergrab/Version Query
  152. What versions of software are running
  153. -------------------------------------
  154.  
  155. ---------------------------Type This-----------------------------------
  156. sudo nmap -sV 74.221.180.*
  157.  
  158. -----------------------------------------------------------------------
  159.  
  160.  
  161.  
  162.  
  163. - Vulnerability Research
  164. Lookup the banner versions for public exploits
  165. ----------------------------------------------
  166. http://exploit-db.com
  167. http://securityfocus.com/bid
  168. https://packetstormsecurity.com/files/tags/exploit/
  169.  
  170.  
  171.  
  172. --------------------------------------------------------------------------------------------------------------------------------
  173. ################
  174. # VPN Auditing #
  175. ################
  176.  
  177.  
  178. ####################
  179. # Install IKE-Scan #
  180. ####################
  181.  
  182. ---------------------------Type This-----------------------------------
  183.  
  184. sudo apt-get install -y ike-scan
  185.  
  186. wget https://raw.githubusercontent.com/0x90/wifi-arsenal/master/IKECrack/ikecrack-snarf-1.00.pl
  187.  
  188. -----------------------------------------------------------------------
  189.  
  190.  
  191. #############
  192. # Discovery #
  193. #############
  194.  
  195. ---------------------------Type This-----------------------------------
  196.  
  197. [root@Linux j0e]# ike-scan -M 24.24.0.0/16 <--- Discovery of VPNs
  198.  
  199.  
  200. [root@Linux j0e]# ike-scan -M --aggressive 24.24.0.0/16 <--- Discovery of VPNs in agressive mode
  201.  
  202. -----------------------------------------------------------------------
  203.  
  204.  
  205. ##################
  206. # Fingerprinting #
  207. ##################
  208.  
  209. ---------------------------Type This-----------------------------------
  210.  
  211. [root@Linux j0e]# ike-scan -M --trans=5,2,1,2 --showbackoff 24.24.1.151 <--- Fingerprinting
  212. -----------------------------------------------------------------------
  213.  
  214.  
  215. *** If you are really having trouble figuring out what VPN is, then you might wanna try some different transforms.
  216. -----------------------------------------------------------------------
  217. #!/bin/sh
  218. # generate-transforms.sh
  219. # Encryption algorithms: DES, Triple-DES, AES/128, AES/192 and AES/256
  220. ENCLIST="1 5 7/128 7/192 7/256"
  221. # Hash algorithms: MD5 and SHA1
  222. HASHLIST="1 2"
  223. # Authentication methods: Pre-Shared Key, RSA Signatures, Hybrid Mode and XAUTH
  224. AUTHLIST="1 3 64221 65001"
  225. # Diffie-Hellman groups: 1, 2 and 5
  226. GROUPLIST="1 2 5"
  227. #
  228. for ENC in $ENCLIST; do
  229. for HASH in $HASHLIST; do
  230. for AUTH in $AUTHLIST; do
  231. for GROUP in $GROUPLIST; do
  232. echo "--trans=$ENC,$HASH,$AUTH,$GROUP"
  233. done
  234. done
  235. done
  236. done
  237. -----------------------------------------------------------------------
  238. ---------------------------Type This-----------------------------------
  239. [root@Linux j0e]# sh generate-transforms.sh | xargs --max-lines=8 ike-scan 24.24.1.151 <--- Fingerprinting
  240.  
  241. [root@Linux j0e]# ike-scan -M `perl -e 'print "--trans=2,3,4,5 " x 20 . "--trans 5,2,1,2";'` 24.24.1.151
  242.  
  243. [root@Linux j0e]# ike-scan --trans=5,2,1,2 --vendor=4048b7d56ebce88525e7de7f00d6c2d3c0000000 --multiline 24.24.1.151
  244.  
  245. -----------------------------------------------------------------------
  246. ################
  247. # PSK Cracking #
  248. ################
  249.  
  250. ---------------------------Type This-----------------------------------
  251. [root@Linux toolz]# /usr/sbin/tcpdump -nxq > logfile.dat
  252. -----------------------------------------------------------------------
  253.  
  254. or
  255.  
  256. ---------------------------Type This-----------------------------------
  257. windump -nxq -s 1500 port 500 > logfile.dat
  258. -----------------------------------------------------------------------
  259.  
  260. *****make connection attempt with VPN client, then stop the log capture.*****
  261. Because the VPN uses PSK you can do this without a password so this logfile
  262. will contain the actual PSK, and ikecrack-scarf will bruteforce it for you.
  263.  
  264. You have to attempt your connection with the VPN client software for that
  265. specific VPN, and the VPN needs to be in agressive mode.
  266.  
  267. ---------------------------Type This-----------------------------------
  268.  
  269. [root@Linux toolz]# perl ikecrack-snarf-1.00.pl 24.24.1.151.500
  270. -----------------------------------------------------------------------
  271.  
  272. *****IKECrack by default looks for "logfile.dat" in the current directory*****
  273.  
  274.  
  275.  
  276.  
  277. ----------------------------------------------------------------------------------------------------------------------
  278.  
  279. ---------------------------Type This-----------------------------------
  280. [root@LinuxLaptop toolz]# ike-scan -M 24.24.1.0/24
  281. -----------------------------------------------------------------------
  282.  
  283. Starting ike-scan 1.9 with 256 hosts (http://www.nta-monitor.com/tools/ike-scan/ )
  284. 24.24.1.0 Notify message 14 (NO-PROPOSAL-CHOSEN)
  285. HDR=(CKY-R=ba78bba863d98025)
  286. 24.24.1.1 Notify message 14 (NO-PROPOSAL-CHOSEN)
  287. HDR=(CKY-R=e9ba2df614761ad3)
  288. 24.24.1.2 Notify message 14 (NO-PROPOSAL-CHOSEN)
  289. 24.24.1.151 Main Mode Handshake returned
  290. HDR=(CKY-R=30a3910882ffea48)
  291. SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDur ation=28800)
  292. VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
  293. 24.24.1.162 Notify message 14 (NO-PROPOSAL-CHOSEN)
  294. HDR=(CKY-R=0000000000000000)
  295. 24.24.1.169 (24.24.1.162) Notify message 14 (NO-PROPOSAL-CHOSEN)
  296. HDR=(CKY-R=0000000000000000)
  297. 24.24.1.236 Main Mode Handshake returned
  298. HDR=(CKY-R=f31f790c32b65404)
  299. SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDur ation=28800)
  300. VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
  301.  
  302. Ending ike-scan 1.9: 256 hosts scanned in 39.640 seconds (6.46 hosts/sec). 2 re turned handshake; 12 returned notify
  303.  
  304. ---------------------------Type This-----------------------------------
  305. [root@LinuxLaptop toolz]# ike-scan -M --trans=5,2,1,2 --showbackoff 24.24.1.151
  306. -----------------------------------------------------------------------
  307.  
  308. Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
  309. 24.24.1.151 Main Mode Handshake returned
  310. HDR=(CKY-R=82c51aa0ae799258)
  311. SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
  312. VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
  313.  
  314.  
  315. IKE Backoff Patterns:
  316.  
  317. IP Address No. Recv time Delta Time
  318. 24.24.1.151 1 1182310337.727521 0.000000
  319. 24.24.1.151 2 1182310345.723607 7.996086
  320. 24.24.1.151 3 1182310353.723382 7.999775
  321. 24.24.1.151 4 1182310361.724154 8.000772
  322. 24.24.1.151 Implementation guess: Cisco VPN Concentrator
  323.  
  324. Ending ike-scan 1.9: 1 hosts scanned in 84.191 seconds (0.01 hosts/sec). 1 returned handshake; 0 returned notify
  325. --------------------------------------------------------------------------------------------------------------------------------
  326.  
  327.  
  328.  
  329.  
  330.  
  331.  
  332.  
  333.  
  334.  
  335.  
  336. ###########################
  337. ----------- ############### # Day 2: Malware Analysis ################ -----------
  338. ###########################
  339.  
  340.  
  341. ---------------------------Type This-----------------------------------
  342. wget http://45.63.104.73/wannacry.zip
  343.  
  344. unzip wannacry.zip
  345. infected
  346.  
  347. file wannacry.exe
  348.  
  349. mv wannacry.exe malware.pdf
  350.  
  351. file malware.pdf
  352.  
  353. mv malware.pdf wannacry.exe
  354.  
  355. hexdump -n 2 -C wannacry.exe
  356.  
  357. -----------------------------------------------------------------------
  358.  
  359.  
  360.  
  361. ***What is '4d 5a' or 'MZ'***
  362. Open a web browswer and take a look at the link below.
  363. http://www.garykessler.net/library/file_sigs.html
  364.  
  365. While on this page use CTRL-F to search for the following:
  366. MX
  367. PDF
  368. XLS
  369.  
  370.  
  371. Look at the hex representation for each file type.
  372.  
  373. This website has the data that is in the header of each file type. This is really important for file analysis.
  374.  
  375.  
  376. ---------------------------Type This-----------------------------------
  377. objdump -x wannacry.exe
  378.  
  379. strings wannacry.exe
  380.  
  381. strings --all wannacry.exe | head -n 6
  382.  
  383. strings wannacry.exe | grep -i dll
  384.  
  385. strings wannacry.exe | grep -i library
  386.  
  387. strings wannacry.exe | grep -i reg
  388.  
  389. strings wannacry.exe | grep -i key
  390.  
  391. strings wannacry.exe | grep -i rsa
  392.  
  393. strings wannacry.exe | grep -i open
  394.  
  395. strings wannacry.exe | grep -i get
  396.  
  397. strings wannacry.exe | grep -i mutex
  398.  
  399. strings wannacry.exe | grep -i irc
  400.  
  401. strings wannacry.exe | grep -i join
  402.  
  403. strings wannacry.exe | grep -i admin
  404.  
  405. strings wannacry.exe | grep -i list
  406.  
  407.  
  408.  
  409. -----------------------------------------------------------------------
  410.  
  411.  
  412.  
  413.  
  414.  
  415.  
  416.  
  417.  
  418. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  419.  
  420. Quick Google search for "wannacry ransomeware analysis"
  421.  
  422.  
  423. Reference
  424. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  425.  
  426. - Yara Rule -
  427.  
  428.  
  429. Strings:
  430. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  431. $s2 = “Wanna Decryptor” wide ascii nocase
  432. $s3 = “.wcry” wide ascii nocase
  433. $s4 = “WANNACRY” wide ascii nocase
  434. $s5 = “WANACRY!” wide ascii nocase
  435. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  436.  
  437.  
  438.  
  439.  
  440.  
  441.  
  442.  
  443.  
  444. Ok, let's look for the individual strings
  445.  
  446. ---------------------------Type This-----------------------------------
  447.  
  448. strings wannacry.exe | grep -i ooops
  449.  
  450. strings wannacry.exe | grep -i wanna
  451.  
  452. strings wannacry.exe | grep -i wcry
  453.  
  454. strings wannacry.exe | grep -i wannacry
  455.  
  456. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  457.  
  458.  
  459. -----------------------------------------------------------------------
  460.  
  461.  
  462.  
  463.  
  464.  
  465. ####################################
  466. # Tired of GREP - let's try Python #
  467. ####################################
  468. Decided to make my own script for this kind of stuff in the future. I
  469.  
  470. Reference1:
  471. http://45.63.104.73/analyse_malware.py
  472.  
  473. This is a really good script for the basics of static analysis
  474.  
  475. Reference:
  476. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  477.  
  478.  
  479. This is really good for showing some good signatures to add to the Python script
  480.  
  481.  
  482. Here is my own script using the signatures (started this yesterday, but still needs work):
  483. https://pastebin.com/guxzCBmP
  484.  
  485.  
  486. ---------------------------Type This-----------------------------------
  487. wget http://45.63.104.73/analyse_malware.py
  488. wget https://pastebin.com/raw/guxzCBmP
  489.  
  490.  
  491. mv guxzCBmP am.py
  492.  
  493. chmod +x analyse_malware.py
  494. chmod +x am.py
  495.  
  496. python analyse_malware.py
  497. python am.py wannacry.exe
  498.  
  499. nano analyse_malware.py
  500. nano am.py
  501. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement