Thursday, August 21, 2014

nmap bash script

Designed this nmap bash script to be able to run multiple different scans to pull information that is relevant and save it to unique files.  I also noticed that I was running similar nmap scans and thought I would combine them into a script that automates the process.

v0.2 - Fixed the smb-enum-shares nse by adding a smbdomain argument
        - Fixed the nmapSwitches variable in the nmap command inside of the for loop

#!/bin/bash

location='tallBuilding'
subnet='127.0.0.1'
ipList='results/ipList.txt'

# Creates the output and the results directory if they need to be created
if [ ! -d "output" ]; then
    mkdir output
    mkdir results
fi

# Run a host discovery scan to see which devices are available in the subnet
typeOfScan='nmap-sP'
nmap -sP $subnet -oA output/$location-$typeOfScan

# From the host discovery put together a list of IP Addresses that can be used in future scans
if [ -f "output/$location-$typeOfScan.nmap" ]; then
    cat output/$location-$typeOfScan.nmap | grep "Nmap scan report for" | awk '{print $5}' > $ipList
else
    echo "Unable to find the nmap host discovery list."
    exit
fi


################### Create a loop of the various nmap scans to perform ##############################
declare -a nmapSwitches=('-sV -p 20,21,22 --open --script ftp-anon.nse'
            '-sV -p 5800,5801,5802,5803,5900,5901,5902,5903 --open --script vnc-info.nse'
            '-sV -p 5800,5801,5802,5803,5900,5901,5902,5903 --open --script realvnc-auth-bypass.nse'
            '-p 69 -sU --open --script tftp-enum.nse'
            '-p T:53,U:53 --open'
            '-p 161 -sU --script snmp-brute'
            '--script smb-os-discovery.nse -p 445'
            '--script smb-check-vulns -p 445'
            '--script smb-enum-shares.nse --script-args smbdomain=domain,smbuser=user,smbpass=password -p 445');
declare -a typeOfScan=('nmap-sV-FTP'
            'nmap-sV-VNC'
            'nmap-sV-VNC-auth-bypass'
            'nmap-sU-TFTP'
            'nmap-DNS'
            'nmap-SNMP'
            'nmap-Samba-445'
            'nmap-Samba-check-vulns'
            'nmap-Samba-enum-shares');

for ((i=0; i<${#nmapSwitches[@]}; i++)); do
    typeOfScanVar=${typeOfScan[$i]}
    nmapSwitchesVar=${nmapSwitches[$i]}
    nmap $nmapSwitchesVar -iL $ipList -oA output/$location-$typeOfScanVar
done

Wednesday, August 20, 2014

List of Various CTF Sites

This list was provided by a friend of a variety of Capture the Flag events.

http://ctf365.com/
http://www.enigmagroup.org/
http://captf.com/practice-ctf/
https://www.hacking-lab.com/index.html
https://microcorruption.com/login
https://pentesterlab.com/
http://www.thisislegal.com/
http://captf.com/
http://io.smashthestack.org/
http://www.wechall.net/
http://repo.shell-storm.org/CTF/
http://exploit-exercises.com/
http://overthewire.org/wargames/
http://www.smashthestack.org/
http://www.crackmes.de/
http://amanhardikar.com/mindmaps/Practice.html
http://www.gh0st.net
http://www.root-me.org/?lang=en

Tuesday, August 19, 2014

Extract VBA code from Office Documents

http://digital-forensics.sans.org/blog/2009/11/23/extracting-vb-macros-from-malicious-documents

Sunday, August 17, 2014

Awards Assembly and Closing Comments from USCC Cyber Camp at SJSU

The below items are what I remember from those who spoke to us at the awards assembly at the USCC Cyber Camp at SJSU in 2014.

Jennifer Lesser is the Director of Security Operations at Facebook and the below comments are what I remember from her talking to us:

To change the game in security you need to have empathy.

She quoted Bill Gates in the following “optimism can fuel innovation and lead to new tools to eliminate suffering,” Gates said. “But if you never really see the people who are suffering, your optimism can’t help them. You will never change their world. … If our optimism doesn’t address the problems that affect so many of our fellow human beings, then our optimism needs more empathy.”

Find the culture [that you want to work in] and then Find the company that will meet your culture.

Their is a lack of encouragement in the information security field.

Often times people say, I won't be good at it.  Did you know that I have not touched a line of code since some of you were born.

Understand that you impact people everyday.

The best thing that can come about because of the security industry is the collaboration.

Admiral Patrick M. Walsh joined iSight Partners as a General Manager of Threatspace.

Take time to discuss risk and probability

Predict events on intelligence that you gather from your systems and the community.  Somebody's problem yesterday could be your problem today.

Learn how to communicate at or to the C-level, they want and need to know.

Look at history, for example, the Battle of Midway.  What were the tactics used for victory?

Read the "Net Diligence Report"

Top 3 risks that face companies: 1. Stolen Laptops, 2. Hackers, 3. Rogue Emplyees

Read the "Alt Report"

Montana Williams works as the Chief for the Cybersecurity Education & Awareness Branch at US Department of Homeland Security

Understand that we are at war in the cyber security field.

The cost of cyber incidents will exceed 381 billion dollars this year.

You can go pro in the cyber security sport.  Did you know that the average professional athlete in Basketball, Football, or Baseball lasts 3 years making roughly $300,000.  In the sport of cyber security their are over 300,000 positions currently open in the United States and they are paying very well and you will exceed that of an average pro athlete.

The cyber security environment has no boundaries.  It touches land, water, space, underground, science, and everywhere.

We need to evaluate our tactics as we did in the 1950's and 1960's and become smarter.  Did you know in 1966 we as a nation had a 1:1 kill ratio? We now have a 10:1 kill ratio.

We need to understand and study the tactics of our advesaries.

Be a lifelong learner

You are on the front line of the battle

There are officially documented 32 functional roles in cyber security

Josh Chin 

Stated that we heard from someone else and believes it is true that "Students change the future."

 

Wednesday, August 13, 2014

Python HTTP POST Request / Response

#!/usr/bin/python

import urllib2, urllib

url = 'http://127.0.0.1/temp.php'
data = {'parameter1':'value1', 'parameter2':'value2'}

data = urllib.urlencode(data)
request = urllib2.Request(url, data)
response = urllib2.urlopen(request)
pageReturned = response.read()

print(pageReturned)

Python HTTP GET Request / Response

#!/usr/bin/python

import urllib2

request = urllib2.Request('http://127.0.0.1/temp')

response = urllib2.urlopen(request)
pageReturned = response.read()

print (pageReturned)

Python Parser for Process Monitor CSV Output

Created a quick parser for Process Monitor csv output files.  I designed it to organize the output based on PID and Operation.  Then I chose to remove the timestamp and deduplicate the remaining information.

This was built to be a tool that can be used in conjunction with Process Monitor to help identify interesting activity.

#!/usr/bin/python
# Script is designed to parse a Process Monitor script and output organized by process and operation

# In my limited testing it took a 29M file down to 5M (At least a little easier to digest)
# It will deduplicate the rows in the output without the timestamp
# This tool is not to replace the output of Process Monitor it is only used as a tool to assist in finding valuable information


import sys
import os
import csv

csvFile='processMonitor.csv'

file = open(csvFile,'r')
reader = csv.reader(file)
# Gather the PIDs and make a uniq list of them
uniqPID = set() # This will store the unique PIDs found in the csv file
uniqOperation = set() # This will store the unique Operations found in the csv file
for row in reader:
    # Time of Day, Process Name, PID, Operation, Path, Result, Detail
    #      0             1        2       3       4      5       6
    if (row[2] != 'PID'):    # Remove the header out of the set
        uniqPID.add(row[2])
        uniqOperation.add(row[3])
file.close()

uniqPID = list(uniqPID) # Take the set and place it into a list
uniqOperation = list(uniqOperation)
uniqPID.sort(key=int)   # Sort the list based on an integer value
uniqOperation.sort(key=str)  

for pid in uniqPID:
        print "\n\n"
    for operation in uniqOperation:
        operationAppearanceCounter = 0
        uniqRow = set()
        file = open(csvFile,'r')
        reader = csv.reader(file)
        for row in reader:
            if (row[2] == pid):
                if (row[3] == operation):
                    if (operationAppearanceCounter == 0):
                        print "\nPID: " + pid + "     Operation: " + operation
                        print "----------------------------------------------"
                        operationAppearanceCounter = 1
                    newRow = row[1] + " " + row[2] + " " + row[3] + " " + row[4] + " " + row[5] + " " + row[6]
                    uniqRow.add(newRow)
        for deduplicatedRow in uniqRow:
            print deduplicatedRow



Monday, August 11, 2014

Python Parser for CaptureBAT logfile v0.2

This is an updated CaptureBAT parser.  If a blank line or an unreadable line is in the logfile it will give you a warning and continue.

Take the logfile output from CaptureBAT and throw it against this script to organize it.

"CaptureBat.exe -n -c -l logFile_output.txt"

#!/usr/bin/python

# Version 0.2: Added if a line in the log file can not be read then it lists a warning but continues

import sys

def parseFile(file, filter, specific):
        duplicate3rdItem=""
        duplicate4thItem=""

        for line in file:
                try:
                        items=line.split(',')
                        if items[1] == filter and items[2] == specific:
                                # Find the duplicates and remove them
                                if items[3] != duplicate3rdItem and items[4] != duplicate4thItem:
                                        print items[0] + " " + items[3] + " " + items[4].rstrip()
                                        duplicate3rdItem=items[3]
                                        duplicate4thItem=items[4]
                except:
                        # Continue on error
                        print "Warning: Log File has a line that can not be read."


if len(sys.argv) >= 2:
        captureFileLog='outputCaptureBat.log'
        parseValues = [ ['"file"', '"Write"', 'Files Written'], ['"file"', '"Delete"', 'Files Deleted'],
                        ['"process"', '"Created"', 'Processes Created'], ['"process"', '"terminated"', 'Processes Terminated'],
                        ['"registry"', '"DeleteValueKey"', 'Registry Deleted Value'], ['"registry"', '"SetValueKey"', 'SetValueKey'] ]
        for item in parseValues:
                print "\n" + item[2]
                print "-----------------------------------------------------------------------------------------------"
                file = open(captureFileLog, "r")
                parseFile(file, item[0], item[1])
else:
        print "Usage: ./script outputCaptureBat.log"

Saturday, August 9, 2014

Decode PHP encoded by cha88.cn

Below is a quick bash script that I wrote to decode some PHP web shells encoded by cha88.cn.  The decoding iterates through base64 decoding and gzinflating 30 times to then produce the original php code.

#!/bin/bash

workingFile=$1

tempFile="${workingFile}.temp"
tempFile2="${workingFile}.temp2"

cat $workingFile | grep -v -e "/\*" -e "online encode by cha88.cn!" -e "\*/" | sed 's/eval(/$uncompressed = /' | sed 's/?>/echo $uncompressed;\n?>/' | sed 's/)))\;/))\;/' > $tempFile

for i in {1..30}
do
php $tempFile | sed 's/?><?php/<?php/' | sed 's/eval(/$uncompressed = /' | sed 's/?><?/echo $uncompressed;\n?>/' | sed 's/)))\;/))\;/' > $tempFile2
mv -f $tempFile2 $tempFile
rm -f $tempFile2
done

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...