prepintel.sh

#!/bin/bash
# ./prepintel.sh
# Israel Torres hakin9@israeltorres.org
# Sun Aug  7 17:31:13 PDT 2011
# "Forensic Improvisation"
#
# use in bash prompt: ./prepintel.sh for usage (-w|-f) [v0.1]
# todo: Applescript drag and drop, batch processing, -s support
#
# batch example
# ls *.bin > testcases.txt; for i in $(cat testcases.txt); do ./prepintel.sh -f $i; done
#
if [ ! $# -lt 2 ]; then
PSTYPE=$1
TARGET=$2
# Generate timestamp prefix during processing
TEMPHEAD=$(date +%s)
TIMEDECO=$(date -r $TEMPHEAD)
EXTENSON=.txt
# For Web Server Information
if [ $PSTYPE == "-w" ]; then
WWWSITE="$2" # using -w switch
# Output Filename Generation
WHEADINFO="$TEMPHEAD-$WWWSITE-HEAD$EXTENSON"
WGETCINFO="$TEMPHEAD-$WWWSITE-GET$EXTENSON"
WGETTINFO="$TEMPHEAD-$WWWSITE-GET-TIDY$EXTENSON"
WNMAPINFO="$TEMPHEAD-$WWWSITE-NMAPSRV$EXTENSON"
WWHOIINFO="$TEMPHEAD-$WWWSITE-WHOISUR$EXTENSON"
WNSLOINFO="$TEMPHEAD-$WWWSITE-NSLOOKU$EXTENSON"
# Ouput
CONNSTR=$(echo -ne "HEAD / HTTP/1.0\r\n\r\n")
echo "###$WHEADINFO" > $WHEADINFO; echo "$CONNSTR" | nc $WWWSITE 80 >> $WHEADINFO
CONNSTR=$(echo -ne "GET / HTTP/1.0\r\n\r\n")
echo "###$WGETCINFO" > $WGETCINFO; echo "$CONNSTR" | nc $WWWSITE 80 >> $WGETCINFO
CONNSTR=$(echo -ne "GET / HTTP/1.0\r\n\r\n")
echo "###$WGETTINFO" > $WGETTINFO; echo "$CONNSTR" | nc $WWWSITE 80 | tidy -i >> $WGETTINFO
# Run installed CLI Support Applications
echo "###$WNMAPINFO" > $WNMAPINFO; sudo nmap -sS $WWWSITE >> $WNMAPINFO
echo "###$WWHOIINFO" > $WWHOIINFO; whois $WWWSITE >> $WWHOIINFO
echo "###$WNSLOINFO" > $WNSLOINFO; nslookup $WWWSITE >> $WNSLOINFO
# Copy all Reports into a single searchable text file
cat $TEMPHEAD-$WWWSITE-* > "_$TEMPHEAD-$WWWSITE-master.txt"
# remove standalone artifacts and only keep master (per timestamp)
#rm $TEMPHEAD-$WWWSITE-*
fi
# For File Information
if [ -a $2 -a $PSTYPE == "-f" ]; then
FILENAME=$2 # using -f switch
FILETYPE=$(file -b $FILENAME)
FILEHMD5=$(md5 -q $FILENAME)
FILEHSH1=$(shasum -p $FILENAME | cut -d ' ' -f 1)
FILEHEAD=$(xxd -p -l 30 $FILENAME)
# Output Filename Generation
FILEINFO="$TEMPHEAD-$FILENAME-STDINFO$EXTENSON"
FILESTRG="$TEMPHEAD-$FILENAME-STRINGS$EXTENSON"
FILEEXIF="$TEMPHEAD-$FILENAME-EXIFDAT$EXTENSON"
FILEOTOL="$TEMPHEAD-$FILENAME-OTOOLDT$EXTENSON"
FILEGDBO="$TEMPHEAD-$FILENAME-GDBDISA$EXTENSON"
FILENDIS="$TEMPHEAD-$FILENAME-NDISASM$EXTENSON"
FILEOTXO="$TEMPHEAD-$FILENAME-OTXOUTP$EXTENSON"
FILEGFIN="$TEMPHEAD-$FILENAME-GETFILE$EXTENSON"
FILEENTR="$TEMPHEAD-$FILENAME-ENTROPY$EXTENSON"
FILEPGPD="$TEMPHEAD-$FILENAME-PGPDUMP$EXTENSON"
# Format Initial Discovery Output
echo "###$FILEINFO" > $FILEINFO
echo -e "TIMESTMP:\t$TEMPHEAD $TIMEDECO" >> $FILEINFO
echo -e "FILENAME:\t$FILENAME" >> $FILEINFO
echo -e "FILETYPE:\t$FILETYPE" >> $FILEINFO
echo -e "FILEHMD5:\t$FILEHMD5" >> $FILEINFO
echo -e "FILEHSH1:\t$FILEHSH1" >> $FILEINFO
echo -e "FILEHEAD:\t$FILEHEAD" >> $FILEINFO
# Run installed CLI Support Applications
echo "###$FILESTRG" > $FILESTRG; strings $FILENAME >> $FILESTRG
echo "###$FILEEXIF" > $FILEEXIF; exiftool $FILENAME >> $FILEEXIF
echo "###$FILEOTOL" > $FILEOTOL; otool -tV $FILENAME >> $FILEOTOL
echo "###$FILEGDBO" > $FILEGDBO; echo "disassemble main" | gdb -silent $FILENAME >> $FILEGDBO
echo "###$FILENDIS" > $FILENDIS; ndisasm $FILENAME >> $FILENDIS
echo "###$FILEOTXO" > $FILEOTXO; otx -d $FILENAME >> $FILEOTXO
echo "###$FILEGFIN" > $FILEGFIN; GetFileInfo $FILENAME >> $FILEGFIN
echo "###$FILEENTR" > $FILEENTR; ent $FILENAME >> $FILEENTR
echo "###$FILEPGPD" > $FILEPGPD; pgpdump $FILENAME >> $FILEPGPD
# Copy all Reports into a single searchable text file
cat $TEMPHEAD-$FILENAME-* > "_$TEMPHEAD-$FILENAME-master.txt"
# remove standalone artifacts and only keep master (per timestamp)
# rm $TEMPHEAD-$FILENAME-*
fi
# Usage Console Message
else
echo "usage: $0 '-w|-f' 'url|filename'"
echo "example: $0 -w www.israeltorres.org > /dev/null 2>&1"
echo "example: $0 -f test.bin > /dev/null 2>&1"
fi

#EOF