Advertisement
joemccray

CHFI 2020

Jun 15th, 2020
655
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 21.65 KB | None | 0 0
  1. #############################
  2. ############################## # Day 1: Linux Fundamentals # ##############################
  3. #############################
  4.  
  5.  
  6.  
  7.  
  8.  
  9.  
  10.  
  11.  
  12. #####################################################
  13. # 2020 Digital Forensics & Incident Response #
  14. # By Joe McCray #
  15. #####################################################
  16.  
  17. - Here is a good set of slides for getting started with Linux:
  18. http://www.slideshare.net/olafusimichael/linux-training-24086319
  19.  
  20.  
  21. - Here is a good tutorial that you should complete before doing the labs below:
  22. http://linuxsurvival.com/linux-tutorial-introduction/
  23.  
  24.  
  25. - I prefer to use Putty to SSH into my Linux host.
  26. - You can download Putty from here:
  27. - http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
  28.  
  29. Here is the information to put into putty
  30.  
  31. Host Name: 149.28.201.171
  32. protocol: ssh
  33. port: 22
  34. username: chfi
  35. password: chfi!chfi123!
  36.  
  37.  
  38. If you are on a Mac (https://osxdaily.com/2017/04/28/howto-ssh-client-mac/)
  39.  
  40. Open a terminal, then type:
  41. -------------------------------
  42. ssh -l chfi 149.28.201.171
  43. ------------------------------
  44.  
  45.  
  46.  
  47.  
  48. ########################
  49. # Basic Linux Commands #
  50. ########################
  51.  
  52. ---------------------------Type This-----------------------------------
  53. cd ~
  54.  
  55. pwd
  56.  
  57. whereis pwd
  58.  
  59. which pwd
  60.  
  61. sudo find / -name pwd
  62.  
  63. /bin/pwd
  64.  
  65. cd ~/students/
  66.  
  67. mkdir yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
  68.  
  69. cd yourname <---- replace 'yourname' with your first name in lowercase with no spaces or special characters please
  70.  
  71. touch one two three
  72.  
  73. ls -l t (without pressing the Enter key, press the Tab key twice. What happens?)
  74.  
  75. h (and again without pressing the Enter key, press the Tab key twice. What happens?)
  76.  
  77. Press the 'Up arrow key' (What happens?)
  78.  
  79. Press 'Ctrl-A' (What happens?)
  80.  
  81. ls
  82.  
  83. clear (What happens?)
  84.  
  85. echo one > one
  86.  
  87. cat one (What happens?)
  88.  
  89. man cat (What happens?)
  90. q
  91.  
  92. cat two
  93.  
  94. cat one > two
  95.  
  96. cat two
  97.  
  98. cat one two > three
  99.  
  100. cat three
  101.  
  102. echo four >> three
  103.  
  104. cat three (What happens?)
  105.  
  106. wc -l three
  107.  
  108. man wc
  109. q
  110.  
  111. info wc
  112. q
  113.  
  114. cat three | grep four
  115.  
  116. cat three | grep one
  117.  
  118. man grep
  119. q
  120.  
  121.  
  122. man ps
  123. q
  124.  
  125. ps
  126.  
  127. ps aux
  128.  
  129. ps aux | less
  130.  
  131. Press the 'Up arrow key' (What happens?)
  132.  
  133. Press the 'Down arrow key' (What happens?)
  134. q
  135.  
  136. top
  137. q
  138. -----------------------------------------------------------------------
  139.  
  140.  
  141. #########
  142. # Files #
  143. #########
  144. ---------------------------Type This-----------------------------------
  145. cd ~
  146.  
  147. pwd
  148.  
  149. cd ~/students/yourname/
  150.  
  151. pwd
  152.  
  153. ls
  154.  
  155. mkdir LinuxBasics
  156.  
  157. cd LinuxBasics
  158.  
  159. pwd
  160.  
  161. ls
  162.  
  163. mkdir files
  164.  
  165. touch one two three
  166.  
  167. cp one files/
  168.  
  169. ls files/
  170.  
  171. cd files/
  172.  
  173. cp ../two .
  174.  
  175. ls
  176.  
  177. cp ../three .
  178.  
  179. ls
  180.  
  181. tar cvf files.tar *
  182.  
  183. ls
  184.  
  185. gzip files.tar
  186.  
  187. ls
  188.  
  189. rm -rf one two three
  190.  
  191. ls
  192.  
  193. tar -zxvf files.tar.gz
  194.  
  195. rm -rf files.tar.gz
  196.  
  197. zip data *
  198.  
  199. unzip -l data.zip
  200.  
  201. mkdir /tmp/yourname/
  202.  
  203. unzip data.zip -d /tmp/yourname/
  204. -----------------------------------------------------------------------
  205.  
  206.  
  207.  
  208.  
  209. ##############################################
  210. # Log Analysis with Linux command-line tools #
  211. ##############################################
  212. - The following command line executables are found in the Mac as well as most Linux Distributions.
  213.  
  214. cat – prints the content of a file in the terminal window
  215. grep – searches and filters based on patterns
  216. awk – can sort each row into fields and display only what is needed
  217. sed – performs find and replace functions
  218. sort – arranges output in an order
  219. uniq – compares adjacent lines and can report, filter or provide a count of duplicates
  220.  
  221.  
  222.  
  223.  
  224.  
  225. ##############
  226. # Cisco Logs #
  227. ##############
  228. ---------------------------Type This-----------------------------------
  229. cd ~/students/yourname/
  230. mkdir security
  231. cd security
  232. mkdir log_analysis
  233. cd log_analysis
  234. wget http://45.63.104.73/cisco.log
  235. -----------------------------------------------------------------------
  236.  
  237.  
  238. AWK Basics
  239. ----------
  240. - To quickly demonstrate the print feature in awk, we can instruct it to show only the 5th word of each line. Here we will print $5. Only the last 4 lines are being shown for brevity.
  241. ---------------------------Type This-----------------------------------
  242. cat cisco.log | awk '{print $5}' | tail -n 4
  243. -----------------------------------------------------------------------
  244.  
  245.  
  246.  
  247. - Looking at a large file would still produce a large amount of output. A more useful thing to do might be to output every entry found in “$5”, group them together, count them, then sort them from the greatest to least number of occurrences. This can be done by piping the output through “sort“, using “uniq -c” to count the like entries, then using “sort -rn” to sort it in reverse order.
  248. ---------------------------Type This-----------------------------------
  249. cat cisco.log | awk '{print $5}'| sort | uniq -c | sort -rn
  250. -----------------------------------------------------------------------
  251.  
  252.  
  253.  
  254. - While that’s sort of cool, it is obvious that we have some garbage in our output. Evidently we have a few lines that aren’t conforming to the output we expect to see in $5. We can insert grep to filter the file prior to feeding it to awk. This insures that we are at least looking at lines of text that contain “facility-level-mnemonic”.
  255. ---------------------------Type This-----------------------------------
  256. cat cisco.log | grep %[a-zA-Z]*-[0-9]-[a-zA-Z]* | awk '{print $5}' | sort | uniq -c | sort -rn
  257. -----------------------------------------------------------------------
  258.  
  259.  
  260.  
  261.  
  262. - Now that the output is cleaned up a bit, it is a good time to investigate some of the entries that appear most often. One way to see all occurrences is to use grep.
  263. ---------------------------Type This-----------------------------------
  264. cat cisco.log | grep %LINEPROTO-5-UPDOWN:
  265.  
  266. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| awk '{print $10}' | sort | uniq -c | sort -rn
  267.  
  268. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10}' | sort | uniq -c | sort -rn
  269.  
  270. cat cisco.log | grep %LINEPROTO-5-UPDOWN:| sed 's/,//g' | awk '{print $10 " changed to " $14}' | sort | uniq -c | sort -rn
  271. -----------------------------------------------------------------------
  272.  
  273.  
  274.  
  275.  
  276.  
  277.  
  278.  
  279.  
  280.  
  281. ###########################
  282. ############################## # Day 1: Malware Analysis # ##############################
  283. ###########################
  284.  
  285.  
  286.  
  287. ################
  288. # The Scenario #
  289. ################
  290. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts). The fastest thing you can do is perform static analysis.
  291.  
  292.  
  293.  
  294. ####################
  295. # Malware Analysis #
  296. ####################
  297.  
  298.  
  299.  
  300. - After logging please open a terminal window and type the following commands:
  301. ---------------------------Type This-----------------------------------
  302. cd ~/students/yourname/security/
  303. mkdir malware_analysis
  304. cd malware_analysis
  305. -----------------------------------------------------------------------
  306.  
  307. - This is actual Malware (remember to run it in a VM - the password to extract it is 'infected':
  308.  
  309. ---------------------------Type This-----------------------------------
  310. wget https://infosecaddicts-files.s3.amazonaws.com/malware-password-is-infected.zip --no-check-certificate
  311. wget https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py --no-check-certificate
  312. wget https://infosecaddicts-files.s3.amazonaws.com/wannacry.zip --no-check-certificate
  313.  
  314. unzip malware-password-is-infected.zip
  315. infected
  316.  
  317. file malware.exe
  318.  
  319. mv malware.exe malware.pdf
  320.  
  321. file malware.pdf
  322.  
  323. mv malware.pdf malware.exe
  324.  
  325. hexdump -n 2 -C malware.exe
  326. -----------------------------------------------------------------------
  327.  
  328.  
  329. ***What is '4d 5a' or 'MZ'***
  330. Reference:
  331. http://www.garykessler.net/library/file_sigs.html
  332.  
  333.  
  334.  
  335.  
  336.  
  337.  
  338.  
  339.  
  340. ---------------------------Type This-----------------------------------
  341. objdump -x malware.exe
  342.  
  343. strings malware.exe
  344.  
  345. strings --all malware.exe | head -n 6
  346.  
  347. strings malware.exe | grep -i dll
  348.  
  349. strings malware.exe | grep -i library
  350.  
  351. strings malware.exe | grep -i reg
  352.  
  353. strings malware.exe | grep -i hkey
  354.  
  355. strings malware.exe | grep -i hku
  356. -----------------------------------------------------------------------
  357. - We didn't see anything like HKLM, HKCU or other registry type stuff
  358.  
  359.  
  360. ---------------------------Type This-----------------------------------
  361. strings malware.exe | grep -i irc
  362.  
  363. strings malware.exe | grep -i join
  364.  
  365. strings malware.exe | grep -i admin
  366.  
  367. strings malware.exe | grep -i list
  368. -----------------------------------------------------------------------
  369.  
  370. - List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
  371.  
  372. ---------------------------Type This-----------------------------------
  373. nano analyse_malware.py
  374.  
  375. python2 analyse_malware.py malware.exe
  376. -----------------------------------------------------------------------
  377.  
  378.  
  379.  
  380.  
  381.  
  382. ---------------------------Type This-----------------------------------
  383. cd ~/students/yourname/security/malware_analysis
  384.  
  385. unzip wannacry.zip
  386. infected
  387.  
  388. objdump -x wannacry.exe
  389.  
  390. objdump -x wannacry.exe | less
  391. q
  392.  
  393. strings wannacry.exe
  394.  
  395. strings wannacry.exe | grep -i dll
  396.  
  397. strings wannacry.exe | grep -i library
  398.  
  399. strings wannacry.exe | grep -i reg
  400.  
  401. strings wannacry.exe | grep -i key
  402.  
  403. strings wannacry.exe | grep -i rsa
  404.  
  405. strings wannacry.exe | grep -i open
  406.  
  407. strings wannacry.exe | grep -i get
  408.  
  409. strings wannacry.exe | grep -i mutex
  410.  
  411. strings wannacry.exe | grep -i irc
  412.  
  413. strings wannacry.exe | grep -i join
  414.  
  415. strings wannacry.exe | grep -i admin
  416.  
  417. strings wannacry.exe | grep -i list
  418. ----------------------------------------------------------------------
  419.  
  420.  
  421.  
  422.  
  423. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  424.  
  425. Quick Google search for "wannacry ransomeware analysis"
  426.  
  427.  
  428. Reference
  429. https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  430.  
  431. - Yara Rule -
  432.  
  433.  
  434. Strings:
  435. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  436. $s2 = “Wanna Decryptor” wide ascii nocase
  437. $s3 = “.wcry” wide ascii nocase
  438. $s4 = “WANNACRY” wide ascii nocase
  439. $s5 = “WANACRY!” wide ascii nocase
  440. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  441.  
  442.  
  443.  
  444.  
  445.  
  446.  
  447.  
  448.  
  449. Ok, let's look for the individual strings in our file
  450.  
  451.  
  452. ---------------------------Type This-----------------------------------
  453. cd ~/students/yourname/security/malware_analysis
  454.  
  455. strings wannacry.exe | grep -i ooops
  456.  
  457. strings wannacry.exe | grep -i wanna
  458.  
  459. strings wannacry.exe | grep -i wcry
  460.  
  461. strings wannacry.exe | grep -i wannacry
  462.  
  463. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  464. -----------------------------------------------------------------------
  465.  
  466.  
  467.  
  468.  
  469.  
  470. ################################
  471. # Good references for WannaCry #
  472. ################################
  473.  
  474. References:
  475.  
  476. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  477. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  478. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  479.  
  480.  
  481.  
  482.  
  483.  
  484.  
  485.  
  486.  
  487.  
  488.  
  489. ####################################
  490. # Tired of GREP - let's try Python #
  491. ####################################
  492. Decided to make my own script for this kind of stuff in the future. I
  493.  
  494. Reference1:
  495. https://infosecaddicts-files.s3.amazonaws.com/analyse_malware.py
  496.  
  497. This is a really good script for the basics of static analysis
  498.  
  499. Reference:
  500. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  501.  
  502.  
  503. This is really good for showing some good signatures to add to the Python script
  504.  
  505.  
  506. Here is my own script using the signatures (started this yesterday, but still needs work):
  507. https://pastebin.com/guxzCBmP
  508.  
  509.  
  510.  
  511. ---------------------------Type This-----------------------------------
  512. wget https://pastebin.com/raw/guxzCBmP
  513.  
  514.  
  515. mv guxzCBmP am.py
  516.  
  517.  
  518. nano am.py
  519.  
  520. python am.py wannacry.exe
  521. -----------------------------------------------------------------------
  522.  
  523.  
  524.  
  525.  
  526.  
  527.  
  528.  
  529. ##############
  530. # Yara Ninja #
  531. ##############
  532. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  533.  
  534. Quick Google search for "wannacry ransomeware analysis"
  535.  
  536.  
  537. Reference
  538. https://www.mcafee.com/blogs/other-blogs/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  539.  
  540.  
  541.  
  542. - Yara Rule -
  543.  
  544.  
  545. Strings:
  546. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  547. $s2 = “Wanna Decryptor” wide ascii nocase
  548. $s3 = “.wcry” wide ascii nocase
  549. $s4 = “WANNACRY” wide ascii nocase
  550. $s5 = “WANACRY!” wide ascii nocase
  551. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  552.  
  553.  
  554.  
  555.  
  556.  
  557.  
  558.  
  559.  
  560. Ok, let's look for the individual strings
  561.  
  562. ---------------------------Type This-----------------------------------
  563. cd ~/students/yourname/security/malware_analysis
  564.  
  565. strings wannacry.exe | grep -i ooops
  566.  
  567. strings wannacry.exe | grep -i wanna
  568.  
  569. strings wannacry.exe | grep -i wcry
  570.  
  571. strings wannacry.exe | grep -i wannacry
  572.  
  573. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  574.  
  575.  
  576. -----------------------------------------------------------------------
  577.  
  578.  
  579.  
  580.  
  581. Let's see if we can get yara working.
  582. ---------------------------Type This-----------------------------------
  583. cd ~/students/yourname/security/malware_analysis
  584.  
  585. mkdir quick_yara
  586.  
  587. cd quick_yara
  588. wget http://45.63.104.73/wannacry.zip
  589.  
  590. unzip wannacry.zip
  591. **** password is infected ***
  592. -----------------------------------------------------------------------
  593.  
  594.  
  595.  
  596.  
  597.  
  598. ---------------------------Type This-----------------------------------
  599.  
  600. nano wannacry_1.yar
  601.  
  602. ---------------------------Paste This-----------------------------------
  603. rule wannacry_1 : ransom
  604. {
  605. meta:
  606. author = "Joshua Cannell"
  607. description = "WannaCry Ransomware strings"
  608. weight = 100
  609. date = "2017-05-12"
  610.  
  611. strings:
  612. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
  613. $s2 = "Wanna Decryptor" wide ascii nocase
  614. $s3 = ".wcry" wide ascii nocase
  615. $s4 = "WANNACRY" wide ascii nocase
  616. $s5 = "WANACRY!" wide ascii nocase
  617. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
  618.  
  619. condition:
  620. any of them
  621. }
  622.  
  623. ----------------------------------------------------------------------------
  624.  
  625.  
  626.  
  627.  
  628.  
  629. ---------------------------Type This-----------------------------------
  630.  
  631. yara wannacry_1.yar wannacry.exe
  632.  
  633. -----------------------------------------------------------------------
  634.  
  635.  
  636.  
  637.  
  638.  
  639. ---------------------------Type This-----------------------------------
  640.  
  641. nano wannacry_2.yar
  642.  
  643. ---------------------------Paste This-----------------------------------
  644. rule wannacry_2{
  645. meta:
  646. author = "Harold Ogden"
  647. description = "WannaCry Ransomware Strings"
  648. date = "2017-05-12"
  649. weight = 100
  650.  
  651. strings:
  652. $string1 = "msg/m_bulgarian.wnry"
  653. $string2 = "msg/m_chinese (simplified).wnry"
  654. $string3 = "msg/m_chinese (traditional).wnry"
  655. $string4 = "msg/m_croatian.wnry"
  656. $string5 = "msg/m_czech.wnry"
  657. $string6 = "msg/m_danish.wnry"
  658. $string7 = "msg/m_dutch.wnry"
  659. $string8 = "msg/m_english.wnry"
  660. $string9 = "msg/m_filipino.wnry"
  661. $string10 = "msg/m_finnish.wnry"
  662. $string11 = "msg/m_french.wnry"
  663. $string12 = "msg/m_german.wnry"
  664. $string13 = "msg/m_greek.wnry"
  665. $string14 = "msg/m_indonesian.wnry"
  666. $string15 = "msg/m_italian.wnry"
  667. $string16 = "msg/m_japanese.wnry"
  668. $string17 = "msg/m_korean.wnry"
  669. $string18 = "msg/m_latvian.wnry"
  670. $string19 = "msg/m_norwegian.wnry"
  671. $string20 = "msg/m_polish.wnry"
  672. $string21 = "msg/m_portuguese.wnry"
  673. $string22 = "msg/m_romanian.wnry"
  674. $string23 = "msg/m_russian.wnry"
  675. $string24 = "msg/m_slovak.wnry"
  676. $string25 = "msg/m_spanish.wnry"
  677. $string26 = "msg/m_swedish.wnry"
  678. $string27 = "msg/m_turkish.wnry"
  679. $string28 = "msg/m_vietnamese.wnry"
  680.  
  681.  
  682. condition:
  683. any of ($string*)
  684. }
  685. ----------------------------------------------------------------------------
  686.  
  687.  
  688.  
  689.  
  690.  
  691.  
  692.  
  693.  
  694. ---------------------------Type This-----------------------------------
  695.  
  696. yara wannacry_2.yar wannacry.exe
  697.  
  698. -----------------------------------------------------------------------
  699.  
  700.  
  701.  
  702. ---------------------------Type This-----------------------------------
  703. cd ~/students/yourname/security/malware_analysis/quick_yara
  704.  
  705. git clone https://github.com/Yara-Rules/rules.git
  706.  
  707. cd rules/
  708.  
  709. cd malware/
  710.  
  711. rm -rf RAT_PoetRATPython.yar
  712.  
  713. cd ..
  714.  
  715. ./index_gen.sh
  716.  
  717. ls
  718.  
  719. cd malware/
  720.  
  721. ls | grep -i ransom
  722.  
  723. ls | grep -i rat
  724.  
  725. ls | grep -i toolkit
  726.  
  727. ls | grep -i apt
  728.  
  729. cd ..
  730.  
  731. cd capabilities/
  732.  
  733. ls
  734.  
  735. cat capabilities.yar
  736.  
  737. cd ..
  738.  
  739. cd cve_rules/
  740.  
  741. ls
  742.  
  743. cd ..
  744.  
  745. ./index_gen.sh
  746.  
  747. cd ..
  748.  
  749. yara -w rules/index.yar wannacry.exe
  750.  
  751.  
  752. ----------------------------------------------------------------------
  753.  
  754.  
  755. References:
  756. https://www.slideshare.net/JohnLaycock1/yet-another-yara-allocution-yaya
  757. https://www.slideshare.net/KasperskyLabGlobal/upping-the-apt-hunting-game-learn-the-best-yara-practices-from-kaspersky
  758.  
  759.  
  760.  
  761.  
  762.  
  763.  
  764.  
  765. #####################################################
  766. # Analyzing Macro Embedded Malware #
  767. #####################################################
  768. ---------------------------Type This-----------------------------------
  769. cd ~/students/yourname/security/malware_analysis
  770.  
  771. mkdir macro_docs
  772.  
  773. cd macro_docs
  774.  
  775. wget https://infosecaddicts-files.s3.amazonaws.com/064016.zip
  776.  
  777. wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
  778.  
  779. unzip oledump_V0_0_22.zip
  780.  
  781. unzip 064016.zip
  782. infected
  783.  
  784. python oledump.py 064016.doc
  785.  
  786. python oledump.py 064016.doc -s A4 -v
  787. -----------------------------------------------------------------------
  788.  
  789.  
  790.  
  791. - From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
  792. - Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
  793.  
  794. ---------------------------Type This-----------------------------------
  795. python oledump.py 064016.doc -s A5 -v
  796. -----------------------------------------------------------------------
  797.  
  798. - As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
  799.  
  800. ---------------------------Type This-----------------------------------
  801. python oledump.py 064016.doc -s A3 -v
  802.  
  803. - Look for "GVhkjbjv" and you should see:
  804.  
  805. 636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
  806.  
  807. - Take that long blob that starts with 636D and finishes with 653B and paste it in:
  808. http://www.rapidtables.com/convert/number/hex-to-ascii.htm
  809. -----------------------------------------------------------------------
  810.  
  811.  
  812.  
  813.  
  814. #########################################
  815. # Security Operations Center Job Roles #
  816. # Intrusion Analysis Level 1 #
  817. #########################################
  818. Required Technical Skills: Comfortable with basic Linux/Windows (MCSA/Linux+)
  819. Comfortable with basic network (Network+)
  820. Comfortable with security fundamentals (Security+)
  821.  
  822.  
  823.  
  824.  
  825.  
  826. Job Task: Process security events, follow incident response triage playbook
  827.  
  828. #########################################
  829. # Security Operations Center Job Roles #
  830. # Intrusion Analysis Level 2 #
  831. #########################################
  832.  
  833. Required Technical Skills: Comfortable with basic Linux/Windows system administration
  834. Comfortable with basic network administration
  835. Comfortable with basic programming
  836. Comfortable researching IT security issues
  837.  
  838.  
  839.  
  840.  
  841.  
  842. Job Task: Perform detailed malware analysis, assist with development of the incident response triage playbook
  843.  
  844. Sample Playbook: https://infosecaddicts-files.s3.amazonaws.com/IR-Program-and-Playbooks.zip
  845.  
  846.  
  847.  
  848. #########################################
  849. # Security Operations Center Job Roles #
  850. # Intrusion Analysis Level 3 #
  851. #########################################
  852.  
  853. Required Technical Skills: Strong statistical analysis background
  854. Strong programming background (C, C++, Java, Assembly, scripting languages)
  855. Advanced system/network administration background
  856. Comfortable researching IT security issues
  857.  
  858.  
  859.  
  860.  
  861.  
  862. Job Task: Perform detailed malware analysis
  863. Perform detailed statistical analysis
  864. Assist with development of the incident response triage playbook
  865.  
  866.  
  867.  
  868.  
  869. #################################################
  870. # Good references for learning Malware Analysis #
  871. #################################################
  872.  
  873. References:
  874. https://www.slideshare.net/SamBowne/cnit-126-ch-0-malware-analysis-primer-1-basic-static-techniques
  875. https://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-bsideslv-on-august-5-2014
  876. https://www.slideshare.net/Bletchley131/intro-to-static-analysis
  877.  
  878.  
  879.  
  880.  
  881.  
  882. #####################################
  883. ############################## # Day 2: Threat Hunting on the wire # ##############################
  884. #####################################
  885.  
  886.  
  887.  
  888.  
  889. - After logging please open a terminal window and type the following commands:
  890. ---------------------------Type This-----------------------------------
  891. cd ~/students/yourname/security/
  892. mkdir pcap_analysis
  893. cd pcap_analysis
  894. -----------------------------------------------------------------------
  895.  
  896.  
  897.  
  898.  
  899. ##################################################################
  900. # Analyzing a PCAP Prads #
  901. # Note: run as regular user #
  902. ##################################################################
  903.  
  904. ---------------------------Type this as a regular user----------------------------------
  905. cd ~/students/yourname/security/pcap_analysis/
  906.  
  907. mkdir prads
  908.  
  909. cd prads
  910.  
  911. wget http://45.63.104.73/suspicious-time.pcap
  912.  
  913. prads -r suspicious-time.pcap -l prads-asset.log
  914.  
  915. cat prads-asset.log | less
  916.  
  917. cat prads-asset.log | grep SYN | grep -iE 'windows|linux'
  918.  
  919. cat prads-asset.log | grep CLIENT | grep -iE 'safari|firefox|opera|chrome'
  920.  
  921. cat prads-asset.log | grep SERVER | grep -iE 'apache|linux|ubuntu|nginx|iis'
  922. -----------------------------------------------------------------------
  923.  
  924.  
  925.  
  926.  
  927. ##################################
  928. # PCAP Analysis with ChaosReader #
  929. # Note: run as regular user #
  930. ##################################
  931. ---------------------------Type this as a regular user----------------------------------
  932. cd ~/students/yourname/security/pcap_analysis/
  933.  
  934. mkdir chaos_reader/
  935.  
  936. cd chaos_reader/
  937.  
  938. wget http://45.63.104.73/suspicious-time.pcap
  939.  
  940. wget http://45.63.104.73/chaosreader.pl
  941.  
  942. perl chaosreader.pl suspicious-time.pcap
  943.  
  944. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
  945.  
  946. cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | sort | uniq -c | sort -nr
  947.  
  948.  
  949. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u
  950.  
  951.  
  952.  
  953. for i in session_00[0-9]*.http.html; do srcip=`cat "$i" | grep 'http:\ ' | awk '{print $2}' | cut -d ':' -f1`; dstip=`cat "$i" | grep 'http:\ ' | awk '{print $4}' | cut -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | sort -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | sort -u | awk '{print $5}' > url.lst
  954.  
  955.  
  956. wget https://raw.githubusercontent.com/Open-Sec/forensics-scripts/master/check-urls-virustotal.py
  957.  
  958.  
  959. python check-urls-virustotal.py url.lst
  960.  
  961.  
  962.  
  963. ------------------------------------------------------------------------
  964.  
  965.  
  966.  
  967.  
  968.  
  969.  
  970.  
  971.  
  972. #############################
  973. # PCAP Analysis with tshark #
  974. # Note: run as regular user #
  975. #############################
  976. ---------------------------Type this as a regular user---------------------------------
  977. cd ~/students/yourname/security/pcap_analysis/
  978.  
  979. mkdir tshark
  980.  
  981. cd tshark/
  982.  
  983. wget http://45.63.104.73/suspicious-time.pcap
  984.  
  985. tshark -i ens3 -r suspicious-time.pcap -qz io,phs
  986.  
  987. tshark -r suspicious-time.pcap -qz ip_hosts,tree
  988.  
  989. tshark -r suspicious-time.pcap -Y "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
  990.  
  991. tshark -r suspicious-time.pcap -Y "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
  992.  
  993.  
  994. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
  995.  
  996. whois rapidshare.com.eyu32.ru
  997.  
  998. whois sploitme.com.cn
  999.  
  1000. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
  1001.  
  1002. tshark -r suspicious-time.pcap -qz http_req,tree
  1003.  
  1004. tshark -r suspicious-time.pcap -Y "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
  1005.  
  1006. tshark -r suspicious-time.pcap -Y http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
  1007. ------------------------------------------------------------------------
  1008.  
  1009.  
  1010.  
  1011.  
  1012.  
  1013. ###############################
  1014. # Extracting files from PCAPs #
  1015. # Note: run as regular user #
  1016. ###############################
  1017. ---------------------------Type this as a regular user---------------------------------
  1018. cd ~/students/yourname/security/pcap_analysis/
  1019.  
  1020. mkdir extract_files
  1021.  
  1022. cd extract_files
  1023.  
  1024. wget http://45.63.104.73/suspicious-time.pcap
  1025.  
  1026. foremost -v -i suspicious-time.pcap
  1027.  
  1028. cd output
  1029.  
  1030. ls
  1031.  
  1032. cat audit.txt
  1033.  
  1034. cd exe
  1035.  
  1036. wget https://raw.githubusercontent.com/GREEKYnikhilsharma/Xen0ph0n-VirusTotal_API_Tool-Python3/master/vtlite.py
  1037. ---------------------------------------------------------------------------------------
  1038.  
  1039.  
  1040. ******* NOTE: You will need to put your virustotal API key in vtlite.py *******
  1041. * Create an account in virustotal > login > click on your profile > API key > copy API key > in terminal do nano vtlite.py >
  1042. * Paste the API key in where it says > profit
  1043. ********************************************************************************
  1044.  
  1045. ---------------------------Type this as a regular user---------------------------------
  1046. for f in *.exe; do python3 vtlite.py -s $f; sleep 20; done
  1047. ---------------------------------------------------------------------------------------
  1048.  
  1049.  
  1050. ###############################
  1051. # PCAP Analysis with Suricata #
  1052. # Note: run as root #
  1053. ###############################
  1054. --------------------------Type this as root--------------------------------
  1055. cd ~/students/yourname/security/pcap_analysis/
  1056.  
  1057. mkdir suricata
  1058.  
  1059. cd suricata/
  1060.  
  1061. wget http://45.63.104.73/suspicious-time.pcap
  1062.  
  1063. mkdir suri
  1064.  
  1065. sudo suricata -c /etc/suricata/suricata.yaml -r suspicious-time.pcap -l suri/
  1066.  
  1067. cd suri/
  1068.  
  1069. cat stats.log | less
  1070.  
  1071. cat eve.json |grep -E "e\":\"http"|jq ".timestamp,.http"|csplit - /..T..:/ {*}
  1072.  
  1073. cat xx01
  1074.  
  1075. cat xx02
  1076.  
  1077. cat xx03
  1078.  
  1079. cat xx04
  1080.  
  1081. cat xx05
  1082.  
  1083. cat xx06
  1084. ------------------------------------------------------------------------
  1085.  
  1086.  
  1087. #############################
  1088. # PCAP Analysis with Yara #
  1089. # Note: run as regular user #
  1090. #############################
  1091. -------------------------Type this as a regular user----------------------------------
  1092. cd ~/students/yourname/security/pcap_analysis/
  1093.  
  1094. git clone https://github.com/kevthehermit/YaraPcap.git
  1095.  
  1096. cd YaraPcap/
  1097.  
  1098. wget http://45.63.104.73/suspicious-time.pcap
  1099.  
  1100. wget https://github.com/Yara-Rules/rules/archive/master.zip
  1101.  
  1102.  
  1103. unzip master.zip
  1104.  
  1105. cd rules-master/
  1106.  
  1107. cd malware/
  1108.  
  1109. rm -rf RAT_PoetRATPython.yar
  1110.  
  1111. cd ..
  1112.  
  1113. ls
  1114.  
  1115. cat index.yar
  1116.  
  1117. clear
  1118.  
  1119. ./index_gen.sh
  1120.  
  1121. cd ..
  1122.  
  1123. mkdir matching_files/
  1124.  
  1125. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
  1126.  
  1127. whereis tcpflow
  1128.  
  1129. vi yaraPcap.py **** fix line 35 with correct path to tcpflow (/usr/bin/tcpflow)****
  1130.  
  1131. python yaraPcap.py rules-master/index.yar suspicious-time.pcap -s matching_files/
  1132.  
  1133. cd matching_files/
  1134.  
  1135. ls
  1136.  
  1137. cat report.txt
  1138. ------------------------------------------------------------------------
  1139.  
  1140.  
  1141.  
  1142.  
  1143. #################################################################################
  1144. # Now that you know packet analysis here are the next set of files to play with #
  1145. #################################################################################
  1146. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/APT41/APT41_StoreSyncSvc.pcap
  1147. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Agent_Tesla/agenttesla_09July2019.pcap
  1148. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/CVE-2019-9978/CVE-2019-9978_attempt_05May2019.pcap
  1149. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Powershell/Powershell_script_19Dec2019.pcap
  1150. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/sharik_smoke/sharik_smoke.pcap
  1151. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0703.pcap
  1152. wget https://github.com/SpiderLabs/IOCs-IDPS/raw/master/Microsoft/CVE-2019-0801.pcap
  1153.  
  1154.  
  1155.  
  1156. References:
  1157. https://www.slideshare.net/j0b1n/tcpdump-hunter
  1158. https://www.slideshare.net/AviNetworks/reconsider-tcpdump-for-modern-troubleshooting
  1159.  
  1160.  
  1161.  
  1162. I often get asked how I did it. How did I learn Python without having been a computer science major, without having gone to college, and for that matter not actually learning to program until I had been in the field for 8 years. Here is what I did.
  1163.  
  1164.  
  1165. Step 1: Watch and do the newboston Python video series twice
  1166. https://www.youtube.com/playlist?list=PLEA1FEF17E1E5C0DA
  1167.  
  1168.  
  1169. Step 2: Watch and do the Google Python workshop twice
  1170. https://www.youtube.com/playlist?list=PLfZeRfzhgQzTMgwFVezQbnpc1ck0I6CQl
  1171.  
  1172.  
  1173. Step 3: Download all of the Python tools from PacketStorm and analyze the source code
  1174. https://packetstormsecurity.com/files/tags/python
  1175.  
  1176.  
  1177. Here is the code from Packet Storm
  1178. https://infosecaddicts-files.s3.amazonaws.com/PythonReferenceCode.zip
  1179.  
  1180. I went through almost every single file and looked up the code that I didn't understand.
  1181. I also asked programmers to help me understand the lines of code that didn't make sense.
  1182. In the folder RAC-Brute I actually had to hire a developer from an outsourcing website to comment,
  1183. and explain the tool to me.
  1184.  
  1185. Here is what I got out of doing that:
  1186. https://infosecaddicts-files.s3.amazonaws.com/Python/sorted-commented-python-files.zip
  1187.  
  1188.  
  1189.  
  1190. Distilled that into this:
  1191. https://infosecaddicts-files.s3.amazonaws.com/Python-Courseware.zip
  1192.  
  1193.  
  1194.  
  1195.  
  1196. ##############################
  1197. ----------- ############### # Day 3: Python Fundamentals # ############### -----------
  1198. ##############################
  1199.  
  1200.  
  1201. #####################
  1202. # Installing Python #
  1203. #####################
  1204. Windows
  1205.  
  1206. https://www.python.org/downloads/
  1207.  
  1208. 32-Bit Version
  1209. https://www.python.org/ftp/python/3.7.3/python-3.7.3-webinstall.exe
  1210.  
  1211. 64-Bit Version
  1212. https://www.python.org/ftp/python/3.7.3/python-3.7.3-amd64-webinstall.exe
  1213.  
  1214.  
  1215. After you install Python in Windows the next thing you may want to install is IdleX:
  1216. http://idlex.sourceforge.net/features.html
  1217.  
  1218. ---------------------------Type This-----------------------------------
  1219.  
  1220. Linux
  1221. Debian/Ubuntu: sudo apt-get install -y python
  1222. RHEL/CentOS/Fedora: sudo yum install -y python
  1223.  
  1224. -----------------------------------------------------------------------
  1225.  
  1226.  
  1227. After you install Python in Linux the next thing that you will need to do is install idle.
  1228.  
  1229. ---------------------------Type This-----------------------------------
  1230.  
  1231. sudo apt-get install -y idle
  1232.  
  1233. -----------------------------------------------------------------------
  1234.  
  1235. Open IDLE, and let's just dive right in.
  1236.  
  1237.  
  1238. Here is the information to put into putty
  1239.  
  1240. Host Name: 149.28.201.171
  1241. protocol: ssh
  1242. port: 22
  1243. username: chfi
  1244. password: chfi!chfi123!
  1245.  
  1246.  
  1247. If you are on a Mac (https://osxdaily.com/2017/04/28/howto-ssh-client-mac/)
  1248.  
  1249. Open a terminal, then type:
  1250. -------------------------------
  1251. ssh -l chfi 149.28.201.171
  1252. ------------------------------
  1253.  
  1254.  
  1255. ####################################
  1256. # Python Lesson 1: Simple Printing #
  1257. ####################################
  1258.  
  1259. ---------------------------Type This-----------------------------------
  1260. $ python3
  1261.  
  1262. >>> print ("Today we are learning Python.")
  1263.  
  1264. >>> exit()
  1265. -----------------------------------------------------------------------
  1266.  
  1267.  
  1268.  
  1269.  
  1270. ############################################
  1271. # Python Lesson 2: Simple Numbers and Math #
  1272. ############################################
  1273.  
  1274. ---------------------------Type This-----------------------------------
  1275. $ python3
  1276.  
  1277. >>> 2+2
  1278.  
  1279. >>> 6-3
  1280.  
  1281. >>> 18/7
  1282.  
  1283. >>> 18.0/7
  1284.  
  1285. >>> 18.0/7.0
  1286.  
  1287. >>> 18/7
  1288.  
  1289. >>> 9%4
  1290. 1
  1291. >>> 8%4
  1292. 0
  1293. >>> 8.75%.5
  1294.  
  1295. >>> 6.*7
  1296.  
  1297. >>> 7*7*7
  1298.  
  1299. >>> 7**3
  1300.  
  1301. >>> 5**12
  1302.  
  1303. >>> -5**4
  1304.  
  1305. >>> exit()
  1306.  
  1307. -----------------------------------------------------------------------
  1308.  
  1309.  
  1310.  
  1311. ##############################
  1312. # Python Lesson 3: Variables #
  1313. ##############################
  1314.  
  1315. ---------------------------Type This-----------------------------------
  1316. $ python3
  1317.  
  1318. >>> x=18
  1319.  
  1320. >>> x+15
  1321.  
  1322. >>> x**3
  1323.  
  1324. >>> y=54
  1325.  
  1326. >>> g=int(input("Enter number here: "))
  1327. Enter number here: 43
  1328. >>> g
  1329.  
  1330. >>> g+32
  1331.  
  1332. >>> g**3
  1333.  
  1334. >>> exit()
  1335.  
  1336. -----------------------------------------------------------------------
  1337.  
  1338.  
  1339.  
  1340.  
  1341.  
  1342. ##########################################
  1343. # Python Lesson 4: Modules and Functions #
  1344. ##########################################
  1345.  
  1346. ---------------------------Type This-----------------------------------
  1347. $ python3
  1348.  
  1349. >>> 5**4
  1350.  
  1351. >>> pow(5,4)
  1352.  
  1353. >>> abs(-18)
  1354.  
  1355. >>> abs(5)
  1356.  
  1357. >>> floor(18.7)
  1358.  
  1359. >>> import math
  1360.  
  1361. >>> math.floor(18.7)
  1362.  
  1363. >>> math.ceil(18.7)
  1364.  
  1365. >>> math.sqrt(81)
  1366.  
  1367. >>> joe = math.sqrt
  1368.  
  1369. >>> joe(9)
  1370.  
  1371. >>> joe=math.floor
  1372.  
  1373. >>> joe(19.8)
  1374.  
  1375. >>> exit()
  1376.  
  1377. -----------------------------------------------------------------------
  1378.  
  1379.  
  1380.  
  1381. ############################
  1382. # Python Lesson 5: Strings #
  1383. ############################
  1384.  
  1385. ---------------------------Type This-----------------------------------
  1386. $ python3
  1387.  
  1388. >>> "XSS"
  1389.  
  1390. >>> 'SQLi'
  1391.  
  1392. >>> "Joe's a python lover"
  1393.  
  1394. >>> "Joe said \"InfoSec is fun\" to me"
  1395.  
  1396. >>> a = "Joe"
  1397.  
  1398. >>> b = "McCray"
  1399.  
  1400. >>> a, b
  1401.  
  1402. >>> a+b
  1403.  
  1404. >>> exit()
  1405. -----------------------------------------------------------------------
  1406.  
  1407.  
  1408.  
  1409.  
  1410.  
  1411. #################################
  1412. # Python Lesson 6: More Strings #
  1413. #################################
  1414.  
  1415. ---------------------------Type This-----------------------------------
  1416. $ python3
  1417.  
  1418. >>> num = 10
  1419.  
  1420. >>> num + 2
  1421.  
  1422. >>> "The number of open ports found on this system is ", num
  1423.  
  1424. >>> num = str(18)
  1425.  
  1426. >>> "There are ", num, " vulnerabilities found in this environment."
  1427.  
  1428. >>> num2 = 46
  1429.  
  1430. >>> "As of 08/20/2012, the number of states that enacted the Security Breach Notification Law is ", + num2
  1431.  
  1432. >>> exit()
  1433. -----------------------------------------------------------------------
  1434.  
  1435.  
  1436.  
  1437.  
  1438.  
  1439. ########################################
  1440. # Python Lesson 7: Sequences and Lists #
  1441. ########################################
  1442.  
  1443. ---------------------------Type This-----------------------------------
  1444. $ python3
  1445.  
  1446. >>> attacks = ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  1447.  
  1448. >>> attacks
  1449. ['Stack Overflow', 'Heap Overflow', 'Integer Overflow', 'SQL Injection', 'Cross-Site Scripting', 'Remote File Include']
  1450.  
  1451. >>> attacks[3]
  1452. 'SQL Injection'
  1453.  
  1454. >>> attacks[-2]
  1455. 'Cross-Site Scripting'
  1456.  
  1457. >>> exit()
  1458.  
  1459.  
  1460.  
  1461. ------------------------------- Summary of fundamentals -------------------------------
  1462.  
  1463.  
  1464. Joe rule #1 single quote, single quote, left arrow
  1465. --------------------------------------------------
  1466. '' <-- as soon as you type '', then hit your left arrow key to put you inside of the ''
  1467. "" <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
  1468. something() <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
  1469. something[] <-- as soon as you type [], then hit your left arrow key to put you inside of the []
  1470. something{} <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}
  1471.  
  1472. -- Now kick it up a notch
  1473. [] <-- as soon as you type [], then hit your left arrow key to put you inside of the []
  1474. [()] <-- as soon as you type (), then hit your left arrow key to put you inside of the ()
  1475. [({})] <-- as soon as you type {}, then hit your left arrow key to put you inside of the {}
  1476. [({"''"})] <-- as soon as you type "", then hit your left arrow key to put you inside of the ""
  1477. [({"''"})] <-- as soon as you type '', then hit your left arrow key to put you inside of the ''
  1478.  
  1479.  
  1480.  
  1481. Joe rule #2 "Code can only do 3 things"
  1482. --------------------------------------
  1483.  
  1484. Process - read, write, math
  1485.  
  1486. Decision - if/then
  1487.  
  1488. Loop - for
  1489.  
  1490.  
  1491.  
  1492.  
  1493. Joe rule #3 "Never more than 5-10"
  1494. ---------------------------------
  1495.  
  1496. -----5 lines of code----
  1497. line 1 blah blah blah
  1498. line 2 blah blah blah
  1499. line 3 blah blah blah
  1500. line 4 blah blah blah
  1501. line 5 blah blah blah
  1502.  
  1503.  
  1504. sales_tax = price * tax_rate
  1505.  
  1506.  
  1507. 0.80 = 10 * 0.08
  1508.  
  1509. -----5-10 lines of code---- = function
  1510. price = 10
  1511.  
  1512. def st():
  1513. sales_tax = price * 0.08
  1514. print(sales_tax)
  1515.  
  1516.  
  1517. st(10) <---- how to run a function
  1518.  
  1519. -----5-10 functions ---- = class "tax class"
  1520. st()
  1521. lt()
  1522. pt()
  1523. it()
  1524. dt()
  1525.  
  1526.  
  1527.  
  1528. tax.st()
  1529. tax.lt()
  1530.  
  1531. -----5-10 functions ---- = class "expense class"
  1532. gas()
  1533. elec()
  1534. water()
  1535. food()
  1536. beer()
  1537.  
  1538. expense.gas()
  1539.  
  1540.  
  1541. -----5-10 classes ---- = module "finance module"
  1542.  
  1543. import finance
  1544.  
  1545.  
  1546. ------------------------------- Summary of fundamentals -------------------------------
  1547.  
  1548. ##################################
  1549. # Lesson 8: Intro to Log Analysis #
  1550. ##################################
  1551.  
  1552.  
  1553. Log into your Linux host then execute the following commands:
  1554. -----------------------------------------------------------------------
  1555. NOTE: If you are still in your python interpreter then you must type exit() to get back to a regular command-prompt.
  1556.  
  1557.  
  1558.  
  1559. ---------------------------Type This-----------------------------------
  1560. cd ~/students/yourname
  1561.  
  1562. wget http://pastebin.com/raw/85zZ5TZX
  1563.  
  1564. mv 85zZ5TZX access_log
  1565.  
  1566.  
  1567. cat access_log | grep 141.101.80.188
  1568.  
  1569. cat access_log | grep 141.101.80.188 | wc -l
  1570.  
  1571. cat access_log | grep 141.101.80.187
  1572.  
  1573. cat access_log | grep 141.101.80.187 | wc -l
  1574.  
  1575. cat access_log | grep 108.162.216.204
  1576.  
  1577. cat access_log | grep 108.162.216.204 | wc -l
  1578.  
  1579. cat access_log | grep 173.245.53.160
  1580.  
  1581. cat access_log | grep 173.245.53.160 | wc -l
  1582.  
  1583. ----------------------------------------------------------------------
  1584.  
  1585.  
  1586.  
  1587.  
  1588.  
  1589.  
  1590.  
  1591. ###############################################################
  1592. # Python Lesson 9: Use Python to read in a file line by line #
  1593. ###############################################################
  1594.  
  1595.  
  1596. ---------------------------Type This-----------------------------------
  1597.  
  1598. $ nano logread1.py
  1599.  
  1600.  
  1601. ---------------------------Paste This-----------------------------------
  1602. ## Open the file with read only permit
  1603. f = open('access_log', "r")
  1604.  
  1605. ## use readlines to read all lines in the file
  1606. ## The variable "lines" is a list containing all lines
  1607. lines = f.readlines()
  1608.  
  1609. print (lines)
  1610.  
  1611.  
  1612. ## close the file after reading the lines.
  1613. f.close()
  1614.  
  1615. ----------------------------------------------------------------------
  1616.  
  1617.  
  1618.  
  1619.  
  1620. ---------------------------Type This-----------------------------------
  1621. $ python3 logread1.py
  1622. ----------------------------------------------------------------------
  1623.  
  1624.  
  1625.  
  1626. Google the following:
  1627. - python difference between readlines and readline
  1628. - python readlines and readline
  1629.  
  1630.  
  1631. Here is one student's solution - can you please explain each line of this code to me?
  1632.  
  1633.  
  1634. ---------------------------Type This-----------------------------------
  1635. nano ip_search.py
  1636.  
  1637.  
  1638. ---------------------------Paste This-----------------------------------
  1639. #!/usr/bin/env python3
  1640.  
  1641. f = open('access_log')
  1642.  
  1643. strUsrinput = input("Enter IP Address: ")
  1644.  
  1645. for line in iter(f):
  1646. ip = line.split(" - ")[0]
  1647. if ip == strUsrinput:
  1648. print (line)
  1649.  
  1650. f.close()
  1651.  
  1652.  
  1653. ----------------------------------------------------------------------
  1654.  
  1655.  
  1656.  
  1657.  
  1658. ---------------------------Type This-----------------------------------
  1659. $ python3 ip_search.py
  1660. ----------------------------------------------------------------------
  1661.  
  1662.  
  1663.  
  1664. Working with another student after class we came up with another solution:
  1665.  
  1666. ---------------------------Type This-----------------------------------
  1667. nano ip_search2.py
  1668.  
  1669. ---------------------------Paste This-----------------------------------
  1670. #!/usr/bin/env python3
  1671.  
  1672.  
  1673. # This line opens the log file
  1674. f=open('access_log',"r")
  1675.  
  1676. # This line takes each line in the log file and stores it as an element in the list
  1677. lines = f.readlines()
  1678.  
  1679.  
  1680. # This lines stores the IP that the user types as a var called userinput
  1681. userinput = input("Enter the IP you want to search for: ")
  1682.  
  1683.  
  1684.  
  1685. # This combination for loop and nested if statement looks for the IP in the list called lines and prints the entire line if found.
  1686. for ip in lines:
  1687. if ip.find(userinput) != -1:
  1688. print (ip)
  1689.  
  1690. ----------------------------------------------------------------------
  1691.  
  1692.  
  1693.  
  1694. ---------------------------Type This-----------------------------------
  1695. $ python3 ip_search2.py
  1696. ----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement